HashiCorp Developer AI Private beta now available Sign up today
Vault
Vault Home

You are viewing documentation for version v1.16.x. View latest version.

Vercel Project environment variables

The Vercel Project sync destination allows Vault to safely synchronize secrets as Vercel environment variables. This is a low footprint option that enables your applications to benefit from Vault-managed secrets without requiring them to connect directly with Vault. This guide walks you through the configuration process.

Prerequisites:

  • Ability to read or create KVv2 secrets
  • Ability to create Vercel tokens with access to modify project environment variables
  • Ability to create sync destinations and associations on your Vault server

Setup

  1. If you do not already have a Vercel token, navigate your account settings to generate credentials with the necessary permissions to manage your project's environment variables.

  2. Next you need to locate your project ID. It can be found under the Settings tab in your project's overview page.

  3. Configure a sync destination with the access token and project ID obtained in the previous steps.

    $ vault write sys/sync/destinations/vercel-project/my-dest \
    access_token="$TOKEN" \
    project_id="$PROJECT_ID" \
    deployment_environments=development \
    deployment_environments=preview \
    deployment_environments=production

    Output:

    Key                   Value
---                   -----
connection_details    map[access_token:***** deployment_environments:[development preview production] project_id:<project-id>]
name                  my-dest
type                  vercel-project

Usage

  1. If you do not already have a KVv2 secret to sync, mount a new KVv2 secrets engine.

    $ vault secrets enable -path='my-kv' kv-v2

    Output:

    Success! Enabled the kv-v2 secrets engine at: my-kv/

  2. Create secrets you wish to sync with a target Vercel project.

    $ vault kv put -mount='my-kv' my-secret foo='bar'

    Output:

    ==== Secret Path ====
my-kv/data/my-secret

======= Metadata =======
Key                Value
---                -----
created_time       <timestamp>
custom_metadata    <nil>
deletion_time      n/a
destroyed          false
version            1

  3. Create an association between the destination and a secret to synchronize.

    $ vault write sys/sync/destinations/vercel-project/my-dest/associations/set \
  mount='my-kv' \
  secret_name='my-secret'

    Output:

    Key                   Value
---                   -----
associated_secrets    map[kv_1234/my-secret:map[accessor:kv_1234 secret_name:my-secret sync_status:SYNCED updated_at:<timestamp>]]
store_name            my-dest
store_type            vercel-project

  4. Navigate to your project's settings under the Environment Variables section to confirm your secret was successfully created in your Vercel project.

Moving forward, any modification on the Vault secret will be propagated in near real time to its Vercel environment variable counterpart. Creating a new secret version in Vault will overwrite the value in your Vercel Project. Deleting the secret or the association in Vault will delete the secret on Vercel as well.

Note

Vercel Project environment variables only support single value secrets, so KVv2 secrets from Vault will be stored as a JSON string. In the example above, the value for secret "my-secret" will be synced to Vercel as the JSON string {"foo":"bar"}.

API

Please see the secrets sync API for more details.