How Each Tool Consumes Vault
Every consumer authenticates against the same devhome KV mount (see
Vault Overview), but each one reads secrets through a different
mechanism — worth knowing so you look in the right place when one of them can't find a
credential.
Terraform
data "vault_kv_secret_v2" data sources, resolved at plan/apply time via the
vault provider:
data "vault_kv_secret_v2" "vmware" {
mount = "devhome"
name = "vmware"
}
# ... data.vault_kv_secret_v2.vmware.data["vsphere_username"]
Requires VAULT_ADDR/VAULT_TOKEN in the environment the terraform command runs
in — sourced from .vault_env before any plan/apply (see
Developer Setup).
Ansible
The community.hashi_vault.vault_kv2_get lookup plugin, resolved once per secret in
group_vars/all.yml and reused throughout:
_vmware_secret: "{{ lookup('community.hashi_vault.vault_kv2_get', 'vmware', engine_mount_point='devhome').secret }}"
Downstream vars (e.g. kubeconfig_base_dir) then reference _vmware_secret.<key>
rather than calling the lookup repeatedly. Same VAULT_ADDR/VAULT_TOKEN
environment requirement as Terraform — this is why every ADO pipeline step that runs
Ansible sources .vault_env first.
Packer
Build credentials (devhome/packer in Vault) are provisioned into Terraform-managed
state via terraform/vault/packer.tf, keeping Packer on the same
"nothing hardcoded in a vars file" rule as everything else — a .pkrvars.hcl should
never contain a literal credential.
Local shell / ADO self-hosted agent
Anything invoked directly — a one-off curl against Vault's REST API, a PowerShell
script (bootstrap_esxi.ps1, the supervisor destroy scripts), or a manual debugging
session — sources .vault_env for VAULT_ADDR/VAULT_TOKEN and then either:
- calls the REST API directly:
- or, from PowerShell,
Invoke-RestMethodagainst the same endpoint (the pattern used throughoutbootstrap_esxi.ps1and the Tanzu Supervisor destroy scripts).
The self-hosted ADO agent (see Self-Hosted Azure DevOps Agent) uses this same raw-REST pattern for any pipeline step that isn't already Terraform or Ansible.
The one path that doesn't exist
devhome/vcenter — a couple of older scripts referenced this path with username/
password fields. It was never real post-reorg; the actual vCenter/ESXi credentials
live under devhome/vmware as vsphere_username/vsphere_password. If a script gets
an empty {"errors":[]} response from Vault, this is the first thing to check.