Vault Secrets Plugin – Tailscale

Vault secrets plugins to simplying creation, management, and
revocation of Tailscale API tokens.


Setup Endpoint

  1. Download and enable plugin locally (TODO)

  2. Configure the plugin

    vault write /tailscale/config/root tailnet=<tailnet> token=<token>
  3. Add one or more policies

Configure Policies

# NOTE: this policy will not work and is just an example
vault write /tailscale/roles/<role-name> capabilities=-<<EOF
	"capabilities": {
    "devices": {
      "create": {
        "reusable": false,
        "ephemeral": false

you can then read from the role using

vault read /tailscale/creds/<role-name>

Generate a new Token

To generate a new token:

Create a new tailscale policy and perform a ‘read’ operation on the creds/<role-name> endpoint.

# To read data using the api
$ vault read tailscale/role/single-use
Key                Value
---                -----
lease_id           tailscale/creds/test/yfF2qCtSvKSakATS89va1Var
lease_duration     768h
lease_renewable    false
capabilities       map[devices:map[create:map[]]]
expires            2022-03-27T03:13:45Z
id                 koD1dv6CNTRL
token              <token>


The provided Earthfile (think makefile, but using
) is used to build, test, and publish the plugin.
See the build targets for more information. Common targets include

# build a local version of the plugin
$ earthly +build

# execute integration tests
# use to create a token
# with 'User:API Tokens:Edit' permissions

# start vault and enable the plugin locally
earthly +dev


View Github