HashiCorp Vault module

Setup

Configure credentials via environment variables. We recommend sourcing them through 1Password or your secrets manager rather than committing them to the shell rc.

Official API reference

weave commands for this module are checked against the vendor's published API.

Vault HTTP API

Variable	Description	Status
VAULT_ADDR	Required for authentication.	required
VAULT_TOKEN	Required for authentication.	required
VAULT_NAMESPACE	Enterprise namespace header (Vault Enterprise / HCP).	optional
VAULT_SKIP_VERIFY	Set to 1 to skip TLS verification (lab only).	optional
VAULT_ROLE_ID	AppRole role_id when not using VAULT_TOKEN.	optional
VAULT_SECRET_ID	AppRole secret_id paired with VAULT_ROLE_ID.	optional

Sanity-check the wiring:

weave secrets check
weave vault --help
weave doctor   # reports VAULT_ADDR status

Capabilities

What this module can do, by entity and verb. ✓ means a working CLI surface; · means not (yet) wired.

Entity	find	list	show	do	snapshot	diff	apply
auth	·	✓	·	·	·	·	·
lease	·	·	·	✓	·	·	·
mount	·	✓	·	·	·	·	·
policies	·	·	·	·	✓	✓	✓
policy	·	✓	✓	·	·	·	·

Commands

Every registered CLI command, grouped by verb. Each example uses placeholder arguments — substitute real values for your environment.

list (3)

list auth

read

List enabled auth methods.

weave vault list auth <arg>

list mounts

read

List enabled secrets engine mounts.

weave vault list mounts <arg>

list policies

read

List ACL policies.

weave vault list policies <arg>

show (1)

show policy

read

Show a policy by name.

weave vault show policy <name>

do (2)

do renew

write

Renew a lease by id.

weave vault do renew <lease-id>

do revoke

write

Revoke a lease by lease id.

weave vault do revoke <lease-id>

snapshot / diff / apply are generated automatically from the State Kinds declared on this module — see the State kinds section below for per-kind details. Workflow: snapshot → edit YAML → diff → apply --yes (or confirm interactively; apply --dry-run previews the same diff).

State kinds

Resources this module can snapshot and diff; apply where the kind supports live writes (see Round-trip per kind). Always run diff before apply; use --yes in automation after review. Files live under .weave-state/vault/.

policies

snapshot diff apply

All ACL policies on the Vault cluster (HCL body inlined).

Scope: —
Round-trip: Full round-trip — snapshot, diff, apply.

State file skeleton

module: vault
kind: policies
items:
  - # <fields specific to this kind — see snapshot output>

Workflows

End-to-end recipes from operators who already run this module in production. Copy, adapt, and put under change-control.

ACL policy as code

weave vault snapshot policies
$EDITOR .weave-state/vault/policies.yaml
weave vault diff policies
weave vault apply policies --yes

Audit mounts and auth methods

weave vault list mounts
weave vault list auth
weave vault show policy default

Revoke a leaked lease

weave vault do revoke <lease-id> --yes

Extend a short-lived token lease

weave vault do renew <lease-id> --yes

Terraform parity

For each Terraform resource in the canonical provider, here's the equivalent live-API verb in weave. Use this as a migration cheat-sheet, not a 1:1 contract — weave deliberately stays in the live-state lane, not the desired-state lane.

Terraform resource	weave equivalent
vault_policy	weave vault snapshot/diff/apply policies + list/show policy
vault_auth_backend	weave vault list auth Read-only — enable/disable auth backends not wired.
vault_mount	weave vault list mounts Read-only — secrets engine provisioning stays in Terraform.
(lease operations)	weave vault do revoke / renew Operational verbs unique to weave — no Terraform equivalent.

Troubleshooting & source

Missing credentials

Run weave doctor — it reports which env vars (including VAULT_ADDR) are set and which are blank.

Unexpected behaviour from a state apply

Re-run weave vault diff <kind> to confirm the controller's current state, then re-snapshot before the next apply. The driver always re-snapshots before diffing.

Open the source

The module lives at https://github.com/andy-broyles/weavewhatever/tree/main/src/weave/modules/vault. File a bug or feature request at https://github.com/andy-broyles/weavewhatever/issues.