> ## Documentation Index
> Fetch the complete documentation index at: https://docs.blinkops.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Configuring A Hashicorp Vault

> Integrate HashiCorp Vault with your Blink self-hosted runner for secure secrets management.

Blink enables seamless integration with a vault established within a customer's personalized environment, guaranteeing secure management of connections within their controlled setting.

<Note> It's important to note that Blink refrains from storing any confidential data, as it is exclusively maintained within the designated secret manager. </Note>

To configure a Self-Hosted Vault Secret Manager you need to start a self-hosted runner with additional configuration, including the **vault URL and root token**.

<Steps>
  <Step title="Create a New Runner in the Blink Platform">
    Create a new Runner in your workspace.

    <Frame>
      <img src="https://mintcdn.com/blinkops-2/xyKLDJHFYJazyJhl/img/Runners/Table.png?fit=max&auto=format&n=xyKLDJHFYJazyJhl&q=85&s=84fa0484a0bc8291082bcded683053c6" width="3068" height="726" data-path="img/Runners/Table.png" />
    </Frame>
  </Step>

  <Step title="Access the Vault Server Using Vault URL and Root Token">
    Make sure you can access the vault server using vault URL and root token. Inside vault ensure that there is a secret engine (type kv mounted on path /secret). If it does not exist, define it in the vault UI by clicking **Enable new engine**.

    <Frame>
      <img src="https://mintcdn.com/blinkops-2/xyKLDJHFYJazyJhl/img/Runners/Runners1.png?fit=max&auto=format&n=xyKLDJHFYJazyJhl&q=85&s=5f298653d4da70ec885ddd04655822de" width="2758" height="1036" data-path="img/Runners/Runners1.png" />
    </Frame>
  </Step>

  <Step title="Set the Runner Group as Default (Optional)">
    <p>- Set new runner group as default for workspace. On the **Runners** page, click <Icon icon="square-ellipsis-vertical" iconType="solid" /> > **Set as default**. </p>
    OR

    Select the checkbox **Set as default** in **Add new runner group**.

    <Frame>
      <img src="https://mintcdn.com/blinkops-2/xyKLDJHFYJazyJhl/img/Runners/NewRunner.png?fit=max&auto=format&n=xyKLDJHFYJazyJhl&q=85&s=7ede4badbd7bd77acf6661ff8e27ccd2" width="1086" height="1104" data-path="img/Runners/NewRunner.png" />
    </Frame>
  </Step>

  <Step title="Copy the Runner Installation Command">
    To proceed, click on the 'Continue' button located in the bottom-right corner. This will prompt the opening of a dialogue box where you can access the command required to install the Runner in your environment. Simply copy this command to your clipboard by clicking on the icon positioned in the top-right corner.
  </Step>

  <Step title="Edit and Configure the Runner Command">
    Edit the command to add the environment variables: `VAULT_URL`, `VAULT_ROOT_TOKEN` and `SECRET_MANAGER_TYPE`.

    * [Docker](/docs/blink-platform/runners/deploying-runner/dockers-runner) example command:

    ```bash theme={"dark"}
    docker run -d --name blink-runner -e VAULT_URL=<Vault URL> -e VAULT_ROOT_TOKEN=<Vault root token> -e SECRET_MANAGER_TYPE=vault -e CTRL_URL="https://app.blinkops.com" -e BLINK_RUNNER_CONFIG=/blink/config.yml --restart unless-stopped -v /var/run/docker.sock:/var/run/docker.sock --add-host "host.docker.internal:host-gateway" blinkops/blink-runner: ./blink-runner -auth <API_KEY>
    ```

    * [Kubernetes](/docs/blink-platform/runners/deploying-runner/kubernetes-runner) command example:

    ```bash theme={"dark"}
    helm install -n blink --create-namespace --set image.tag=<version> --set secret.appKey=<Secret key> --set env.SECRET_MANAGER_TYPE=vault --set config.runner.ctrl_url=https://app.blinkops.com --set env.VAULT_URL=<Vault URL> --set env.VAULT_ROOT_TOKEN=<Vault root token>  blink-runner oci://public.ecr.aws/x9s7x6t7/blink-runner
    ```

    <Note> When using the **CloudFormation** template, make sure to provide the **OnPremVaultUrl** and **OnPremVaultRootToken** parameters.</Note>
  </Step>

  <Step title="Verify the runner has started successfully">
    <Note>
      **Note:** The default workspace runner determines the storage location for new workspace connections. If the runner is configured with a self-hosted secret manager, the connections will be stored there. In the absence of a connected secret manager, the connections will be stored in Blink's secret manager.
    </Note>

    <Frame>
      <img src="https://mintcdn.com/blinkops-2/xyKLDJHFYJazyJhl/img/Runners/Runners4.png?fit=max&auto=format&n=xyKLDJHFYJazyJhl&q=85&s=da54b86c536e17404dc0436e370596cd" width="3096" height="642" data-path="img/Runners/Runners4.png" />
    </Frame>
  </Step>

  <Step title="Verify Where the Connection is Being Stored">
    To verify where the connection is being stored look at the secret manager name below the connection name on the **Connections** page.

    <Tip> **blink\_cloud\_sm** indicates Blink's secret manager. Anything else indicates customer's self hosted secret manager. </Tip>

    <Frame>
      <img src="https://mintcdn.com/blinkops-2/xyKLDJHFYJazyJhl/img/Runners/Runners3.png?fit=max&auto=format&n=xyKLDJHFYJazyJhl&q=85&s=7b1cb77056df6ec2aa15db5a009886f0" width="1668" height="634" data-path="img/Runners/Runners3.png" />
    </Frame>
  </Step>
</Steps>