Vault Url — the Vault server URL (e.g., https://vault.example.com:8200).
Mount Path — the KV secrets engine mount point (default secret).
KV Version — v1 or v2.
Authentication methods
Token — Vault Url, Token. Simplest; tokens are short-lived and
must be renewed.
AppRole ⭐ (recommended for machine-to-machine) — Vault Url,
Role Id, Secret Id. Designed for non-human callers; supports CIDR
binding and TTL controls.
Username/Password — Vault Url, Username, Password. Use only when
integrating with an existing LDAP / userpass backend.
Permissions checklist
Attach a Vault policy granting read on <mount-path>/data/<secret-path>
for KV v2 (or <mount-path>/<secret-path> for KV v1).
For AppRole, bind the role to the policy and set conservative TTLs.