juju deploy cs:vault
Show information
Channel Version Platform
latest/stable 42
20.10 20.04 LTS 19.10 18.04 LTS 16.04 LTS


20.10 20.04 LTS 19.10 18.04 LTS 16.04 LTS


a tool for managing secrets Read more

Relevant links

Discuss this charm

Share your thoughts on this charm with the community on discourse.

Join the discussion


Vault secures, stores, and controls access to tokens, passwords, certificates, API keys, and other secrets in modern computing. Vault handles leasing, key revocation, key rolling, and auditing. Through a unified API, users can access an encrypted key/value store and network encryption-as-a-service, or generate AWS IAM/STS credentials, SQL/NoSQL databases, X.509 certificates, SSH credentials, and more.

The charm installs Vault from a snap.



This section covers common configuration options. See file config.yaml for the full list of options, along with their descriptions and default values.


The channel option sets the snap channel to use for deployment (e.g. 'latest/edge'). The default value is 'latest/stable'.


Deploy a single vault unit in this way:

juju deploy vault

Then relate it to either MySQL or PostgreSQL.

For MySQL 5:

juju add-relation vault:shared-db percona-cluster:shared-db

For MySQL 8:

juju deploy mysql-router vault-mysql-router
juju add-relation vault-mysql-router:db-router mysql-innodb-cluster:db-router
juju add-relation vault-mysql-router:shared-db vault:shared-db

For PostgreSQL, its version and the underlying machine series must be compatible (e.g. 9.5/xenial or 10/bionic). Use configuration option version with the postgresql charm to select a version. For example, on Xenial:

juju deploy --config version=9.5 --series xenial postgresql
juju add-relation vault:db postgresql:db

Post-deployment tasks

Once the vault application is deployed the following tasks must be performed:

  • Vault initialisation
  • Unsealing of Vault
  • Charm authorisation

These tasks are covered in appendix Vault of the OpenStack Charms Deployment Guide.


This section lists Juju actions supported by the charm. Actions allow specific operations to be performed on a per-unit basis.

  • authorize-charm
  • disable-pki
  • generate-root-ca
  • get-csr
  • get-root-ca
  • pause
  • refresh-secrets
  • reissue-certificates
  • resume
  • upload-signed-csr

To display action descriptions run juju actions vault. If the charm is not deployed then see file actions.yaml.


Please report bugs on Launchpad.

For general charm questions refer to the OpenStack Charm Guide.