Hashicorp Vault - Send command or api call on variable edit

Question

Let's suppose I make a change over one variable in a Key-Value engine in my Hashicorp Vault.

Once I apply the change, it will create a new version of my variable, as expected.

Can I, somehow, send an API call or at least run a command coming from Hashicorp Vault itself? What I want to achieve is that, when I change a variable inside Hashicorp Vault, I can trigger a CICD build inside Gitlab CI.

Answer 1

No, Hashicorp Vault itself does not have any event/callback or similar mechanism for when secrets are updated.

However, depending on what storage backend you are using, you may be able to use features of your backend to support this. To give a few examples:

• If you are using Consul as the backend for Vault, you can use watches in Consul to monitor for key/value pair changes.
• If you are using DynamoDB, you can configure streams to trigger other workflows, like a lambda function to run your pipeline.
• If you are using S3 as the storage backend, you can leverage S3 event notifications

Other backends will have their own mechanisms for this. However, not all backends will support this directly.

If you don't have a backend that supports this, your next best bet would be to periodically poll and check for updated values. For example, you might use scheduled pipelines to do this.