Difficulty: intermediate
Estimated Time: 15 minutes

Vault's secret engines generate passwords that adhere to a default pattern that may not meet the standards required by your applications or within your organization.

Vault 1.5 introduced support for configurable password generation defined by a password policy. A policy defines the rules and requirements that the password must adhere and can provide that password directly through a new endpoint or within secrets engines.

In this tutorial you will start RabbitMQ and Vault, generate user credentials for RabbitMQ with the default password policy, define a password policy, and then generate user credentials with this custom policy.

Make some policies happen in your secrets engines.

User Configurable Password Generation for Secret Engines

Step 1 of 4

Start RabbitMQ and Vault

In another terminal, start a RabbitMQ server running on port 15672 that has a user named learn_vault with the password hashicorp.

docker run --rm --name some-rabbit -p 15672:15672 \
    -e RABBITMQ_DEFAULT_USER=learn_vault \
    -e RABBITMQ_DEFAULT_PASS=hashicorp \

The RabbitMQ server downloads the necessary images and then starts a container.

In another terminal, start a Vault dev server with root as the root token that listens for requests at

vault server -dev -dev-root-token-id root -dev-listen-address

Setting the -dev-listen-address to overrides the default address of a Vault dev server ( and enables Vault to be addressable by the Kubernetes cluster and its pods because it binds to a shared network.

Export an environment variable for the vault CLI to address the Vault server.

export VAULT_ADDR=

Request the status of the Vault server.

vault status

The Vault server reports that is initialized and unsealed.