When to use Vault
Vault is optional. Direct credentials entered in the UI (encrypted at rest by Luumen) work fine for many environments. Reach for Vault when:- You already operate Vault and want Luumen to follow the same rotation policy as the rest of your systems.
- Compliance requirements rule out storing credentials in Luumen, even encrypted.
- You want to centralize host credentials and integration credentials in a single location.
Configure the Vault connection
Vault is enabled and configured from the Luumen UI. You’ll provide:| Setting | Description |
|---|---|
| Vault address | URL of your Vault server (e.g., https://vault.example.com). |
| KV version | The KV secrets engine version — v1 or v2. Defaults to v2. |
| Auth method | How the agent authenticates to Vault. The simplest option is a token; for production, prefer an auth method that rotates (AppRole, Kubernetes, etc.) configured via environment on the Patch server. |
VAULT_TOKEN environment variable on the agent service rather than entered in the UI. On systemd, that’s Environment=VAULT_TOKEN=... in the unit file (or an EnvironmentFile reference to a root-only file).
Reference a secret from a credential field
Once Vault is connected, any credential field in the UI (host password, integration credentials) accepts a Vault reference instead of a literal value. A reference points at a Vault path and the key within that path’s data:- Path — for example,
secret/luumen/windev - Key — for example,
password
Operational notes
- Vault must be reachable from the Patch server. The agent does not cache secrets across runs. If Vault is unreachable during a scheduled run, that run will skip hosts whose credentials it cannot resolve and log the error.
- Permissions follow Vault’s model. The token (or auth method) you give the agent needs read access to every path referenced from the UI — and only those paths.
- Rotation is transparent to Luumen. When you rotate a credential in Vault, the agent picks up the new value on its next run. No agent restart is required.