The vault integration provides an opinionated way to interact with Vault as secret manager for helix services.

Trace attributes

The vault integration sets the following trace attributes:

  • vault.server.address
  • vault.agent.address
  • vault.namespace
  • span.kind

When applicable, these attributes can be set as well:

  • vault.kv.mountpath
  • vault.kv.secretpath


vault.server.address: "http://localhost:8200"
vault.agent.address: ""
vault.namespace: "custom"
vault.kv.mountpath: "/secrets"
vault.kv.secretpath: "my_secret"
span.kind: "internal"


The integration uses the official Go library maintained by the HashiCorp team.

Install the Go module with:

$ go get

Simple example on how to import, configure, and use the integration:

import (


func main() {
  cfg := vault.Config{
    Address:   "",
    Namespace: "custom",
    Token:     "my_token",

  client, err := vault.Connect(cfg)
  if err != nil {
    return err

  ctx := context.Background()
  kv := client.KeyValue(ctx, "/mountpath")
  secret, err := kv.Get(ctx, "secretpath")
  if err != nil {
    // ...


  if err := service.Start(); err != nil {

  if err := service.Close(); err != nil {

Is something missing?

If you notice something we've missed or could be improved on, please follow this link and submit a pull request to the repository. Once we merge it, the changes will be reflected on the website the next time it is deployed. Thank you for your contributions!
Built by