Skip to content

vault

mlflow_secrets_auth.providers.vault

HashiCorp Vault authentication provider.

VaultAuthProvider()

Bases: SecretsBackedAuthProvider

Authentication provider using HashiCorp Vault.

Supports token and AppRole authentication via the hvac client (optional dependency). Secrets are retrieved from KV v2 when possible with a graceful fallback to KV v1.

Environment variables

VAULT_ADDR: Vault server address, e.g. "https://vault.example.com" VAULT_TOKEN: Vault token for direct authentication (optional). VAULT_ROLE_ID: AppRole role ID (used if VAULT_TOKEN is not provided). VAULT_SECRET_ID: AppRole secret ID (used if VAULT_TOKEN is not provided). MLFLOW_VAULT_SECRET_PATH: Secret path (e.g. "secret/mlflow/auth" or "secret/data/mlflow/auth"). MLFLOW_VAULT_AUTH_MODE: "bearer" (default) or "basic". MLFLOW_VAULT_TTL_SEC: Cache TTL in seconds (defaults to provider's default TTL).

Notes
  • When using KV v2, this implementation auto-detects common path formats and reads via client.secrets.kv.v2.read_secret_version.
  • For KV v1, it falls back to client.secrets.kv.v1.read_secret.
  • Secret dictionaries are JSON-encoded for centralized parsing in the base class.

Initialize the provider with a default TTL and a lazy hvac client.

Source code in src/mlflow_secrets_auth/providers/vault.py 
71
72
73
74
def __init__(self) -> None:
    """Initialize the provider with a default TTL and a lazy hvac client."""
    super().__init__(PROVIDER_VAULT, default_ttl=DEFAULT_TTL_SECONDS)
    self._vault_client: Any | None = None  # hvac.Client if available