Once you have the plugin enabled, you'll have to configure it. Ensure you have Vault CLI installed and that you have proper access to the Vault instance.
Go to the Vercel tokens page and generate a new token. This is the token the plugin will use to dynamically create other (short-lived) tokens. Set the key as follows:
$ vault write vercel-secrets/config api_key=<your-api-key-here>
Optional parameters are:
max_ttl=<seconds>: Maximum TTL for the tokens generated by the plugin. TTLs can be defined on a per-token basis, but they will need to be lower than or equal to the maximum. Default is 10 minutes.default_team_id=<vercel-team-id>: If set, all generated tokens will be scoped to this Vercel team only. Token creation requests cannot override this value.
Now you can start generating ephemeral tokens. Run the following command to generate a new Vault plugin managed Vercel token:
$ vault read vercel-secrets/token
Key Value
--- -----
lease_id vercel-secrets/token/<lease-id>
lease_duration 10m
lease_renewable false
bearer_token xyzabbacdc
token_id bababababa
Optional parameters are:
ttl=<seconds>: Custom lease duration. Has to be lower than or equal tomax_ttlconfigured to the plugin backend.team_id=<vercel-team-id>: Set token scope for a specific Vercel team. If backend configuration has a default team ID set, this value has to be equal to that. Requires a Vercel Pro plan.
Vault will automatically revoke & delete the API key after the lease duration.
The token also has an expiration time equal to the lease duration on Vercel side. Should anything happen to Vault, the token will expire as configured. However, it will remain on Vercel and has to be manually cleaned up.
You can print informational details about the plugin by querying the info endpoint:
$ vault read vercel-secrets/info
Key Value
--- -----
build_commit d912476
build_commit_branch docs/verify-signed-build
build_commit_date d912476
build_date Fri Jul 07 22:07:50 EEST 2023
build_dirty true
build_tag v0.2.3
build_version v0.2.3