This plugin allows you to use Hashicorp vault secrets in your serverless.yml.

In serverless.yml:

plugins:
  - serverless-vault-vars

By default the plugin will speak to a vault on http://localhost:8200. To use another url:

In your serverless.yml

custom:
  vault_address: https://example.com

Via environment variables (same as vault cli):

VAULT_ADDR=https://example.com

Priority is: serverless.yml > environment variable > default value

In your serverless.yml

custom:
  vault_token: sometoken

Via environment variables (same as vault cli):

VAULT_TOKEN=sometoken

In ~/.vault-token (same as vault cli):

sometoken

Priority is: serverless.yml > environment variable > token file

Once you've configured the plugin, you can use vault vars by referencing them with the vault: prefix. This should be followed by the secret's path, and then the key of the value you want as follows:

Gien the following vault secret:

path: secretapp/config
structure:

username: someusername
password: somepassword

To get the info in your serverless yml:

custom:
  username: ${vault:secretapp/config.username}

functions:
  somefunction:
    handler: x.handler
    environment:
      password: ${vault:secretapp/config.password}