624c6eab20
* Clean vertical lines * Make sidebar slightly larger on bigger displays * Separate backend configurations into their own pages
4.2 KiB
| layout | page_title | sidebar_current | description |
|---|---|---|---|
| docs | Etcd - Storage Backends - Configuration | docs-configuration-storage-etcd | The Etcd storage backend is used to persist Vault's data in Etcd. It supports both the v2 and v3 Etcd APIs, and the version is automatically detected based on the version of the Etcd cluster. |
Etcd Storage Backend
The Etcd storage backend is used to persist Vault's data in Etcd. It supports both the v2 and v3 Etcd APIs, and the version is automatically detected based on the version of the Etcd cluster.
-
High Availability – the Etcd storage backend supports high availability. The v2 API has known issues with HA support and should not be used in HA scenarios.
-
Community Supported – the Etcd storage backend is supported by the community. While it has undergone review by HashiCorp employees, they may not be as knowledgeable about the technology. If you encounter problems with them, you may be referred to the original author.
backend "etcd" {
address = "http://localhost:2379"
etcd_api = "v3"
}
etcd Parameters
-
address(string: "http://localhost:2379")– Specifies the addresses of the Etcd instances as a comma-separated list. This can also be provided via the environment variableETCD_ADDR. -
etcd_api(string: "<varies>")– Specifies the version of the API to communicate with. By default, this is derived automatically. If the cluster version is 3.1+ and there has been no data written using the v2 API, the auto-detected default is v3. -
ha_enabled(bool: false)– Specifies if high availability should be enabled. This can also be provided via the environment variableETCD_HA_ENABLED. -
path(string: "vault/")– Specifies the path in Etcd where Vault data will be stored. -
sync(string: "true")– Specifies whether to sync the list of available Etcd services on startup. This is a string that is coerced into a boolean value. You may want to set this to false if your cluster is behind a proxy server and syncing causes Vault to fail. -
username(string: "")– Specifies the username to use when authenticating with the Etcd server. This can also be provided via the environment variableETCD_USERNAME. -
password(string: "")– Specifies the password to use when authenticating with the Etcd server. This can also be provided via the environment variableETCD_PASSWORD. -
tls_ca_file(string: "")– Specifies the path to the CA certificate used for Etcd communication. This defaults to system bundle if not specified. -
tls_cert_file(string: "")– Specifies the path to the certificate for Etcd communication. -
tls_key_file(string: "")– Specifies the path to the private key for Etcd communication.
This backend also supports the following high availability parameters. These are discussed in more detail in the HA concepts page.
-
cluster_addr(string: "")– Specifies the address to advertise to other Vault servers in the cluster for request forwarding. This can also be provided via the environment variableVAULT_CLUSTER_ADDR. -
disable_clustering(bool: false)– Specifies whether clustering features such as request forwarding are enabled. Setting this to true on one Vault node will disable these features only when that node is the active node. -
redirect_addr(string: <required>)– Specifies the address to advertise to other Vault servers in the cluster for client redirection. This can also be provided via the environment variableVAULT_REDIRECT_ADDR.
etcd Examples
Custom Authentication
This example shows connecting to the Etcd cluster using a username and password.
backend "etcd" {
username = "user1234"
password = "pass5678"
}
Custon Path
This example shows storing data in a custom path.
backend "etcd" {
path = "my-vault-data/"
}
Enabling High Availability
This example show enabling high availability for the Etcd storage backend.
backend "etcd" {
ha_enabled = true
redirect_addr = "vault-leader.my-company.internal"
}