Vault Plugin New ((top)) Jun 2026

Vault communicates with plugins over localized gRPC wrapped in mutual TLS (mTLS). This ensures high performance and cryptographic security for data in transit.

Note on naming: Vault expects a naming convention. For a secrets engine: vault-plugin-secrets-<name> . For an auth method: vault-plugin-auth-<name> . If you deviate from this, Vault will reject the registration.

Validating identities from third-party providers (e.g., AWS, Kubernetes) to issue Vault tokens.

vault secrets enable -path=my-mock-plugin vault-plugin-secrets-mock vault plugin new

Pattern: "data/" + framework.GenericNameRegex("name"), Fields: map[string]*framework.FieldSchema "value": Type: framework.TypeString, Description: "Value to store", , , Operations: map[logical.Operation]framework.OperationHandler logical.WriteOperation: &framework.PathOperation Callback: b.pathWrite, , logical.ReadOperation: &framework.PathOperation Callback: b.pathRead, , , ,

Once registered, enable the plugin at a specific path just like any native secrets engine:

When Vault launches a plugin binary, it establishes a local gRPC connection secured by ephemeral, single-use mTLS certificates generated automatically on startup. Vault communicates with plugins over localized gRPC wrapped

Before writing code, you must determine which type of plugin fits your use case: Plugin Type Common Examples

Create a new directory for your plugin and initialize a Go module. The project should have a clean structure separating the main entry point from the operational logic.

Pattern: "login", Operations: map[logical.Operation]framework.OperationHandler logical.UpdateOperation: &framework.PathOperationCallback: b.pathLogin, , For a secrets engine: vault-plugin-secrets-&lt;name&gt;

Check that the binary is executable and linked against a compatible glibc (if using Linux). Rebuild with CGO_ENABLED=0 go build .

.PHONY: dev dev: build mv vault-plugin-my-plugin ~/.vault/plugins/