Skip to main content

Deploying a self-hosted secret manager

Blink supports integration with a vault running in a self-hosted environment. This enables managing connections in a secure way in the customers controlled environment. Secret data will not be stored by Blink and kept in the configured secret manager only.

To configure a self-hosted vault secret manager one needs to start a self-hosted runner with additional configuration, including the vault URL and root token.

  1. Create a new runner in your workspace. Click here for details.

  2. Make sure you can access the vault server using vault URL and root token. Inside vault ensure that there is a secret engine (type kv mounted on path /secret). If it does not exist, define it in the vault UI by clicking Enable new engine.


  1. Set new runner group as default for workspace. On the Runners page, click ThreeDots > Set as default. OR Select the checkbox Set as default in Add new runner group.


  1. Copy the command from the Add new runner group.

  2. Edit the command to add the environment variables: VAULT_URL and VAULT_ROOT_TOKEN.

Docker example command:

docker run -d --name blink-runner -e VAULT_URL=<Vault URL> -e VAULT_ROOT_TOKEN=<Vault root token> -e CTRL_URL="" -e BLINK_RUNNER_CONFIG=/blink/config.yml --restart unless-stopped -v /var/run/docker.sock:/var/run/docker.sock --add-host "host.docker.internal:host-gateway" blinkops/blink-runner: ./blink-runner -auth <API_KEY>

Kubernetes command example:

helm repo add blink &&\
helm repo update &&\
helm install -n blink --create-namespace --set image.tag=2.3.220823-130R --set secret.appKey=<Secret key> --set config.runner.ctrl_url= --set env.VAULT_URL=<Vault URL> --set env.VAULT_ROOT_TOKEN=<Vault root token> blink-runner blink/blink-runner

When using the CloudFormation template, make sure to provide the OnPremVaultUrl and OnPremVaultRootToken parameters.

  1. Refresh the Runners page to ensure the runner has started successfully.


  1. The default workspace runner determines where new workspace connection will be stored. If the runner is configured with self-hosted secret manager; the connections will be stored there. If the runner has no secret manager connected; the connections will be stored in Blink's secret manager.
  2. To verify where the connection is being stored look at the secret manager name below the connection name on the Connections page.


*blink_cloud_sm* indicates Blink's secret manager. Anything else indicates customer's self hosted secret manager.