Create a Vault Entry

In this article

Vault entries are sensitive and restricted key-value pairs stored in the Vault API of the Coveo Migration Service. The service uses these entries to migrate sensitive information leveraged by your resources, such as credentials used to index content. You can also use vault entries in indexing pipeline extensions (IPEs).


When using the Migration Service to apply a snapshot to an organization, you can typically use a purpose-built Import vault parameters button to automatically import vault parameters from the origin organization.

If there remain missing vault entries after the import, you need to create them manually.

This article provides an example that shows you how to create vault entries using the POST /vaultentries endpoint.


You want to apply a snapshot to an organization, but you receive an error message when checking the prerequisites, because a vault entry with the following key is missing: originorganizationid_iyn07x-configuration.parameters.secretKey.value. It’s used as a credential by one of your sources. You try pressing the Import vault entries button, but it has no effect because you have deleted the vault entry from the origin organization.

Snapshot check - missing vault entry

You therefore use the POST /vaultentries endpoint to create the target vault entry in your destination organization.

Accept: application/json
Content-Type: application/json

Request payload:

  "attributeReferences": [
      "jsonPath": "configuration.parameters.secretKey.value", 1
      "resourceName": "originorganizationid_iynO7X", 2
      "resourceType": "SOURCE"
  "key": "originorganizationid_iyn07x-configuration.parameters.secretKey.value", 3
  "value": "s8h#kj%43s", 4
  "organizationId": "destinationorganizationid", 5
  "valueType": "STRING",
  "vaultVisibilityType": "OBFUSCATED"
1 To determine the jsonPath value, you open the snapshot JSON content to find out the path to the target key from its parent resource model. In this case, it’s configuration.parameters.secretKey.value.
// ...
  "SOURCE": [
      "model": {
        // ...
        "configuration": {
          // ...
          "parameters": {
            // ...
            "secretKey": {
              "sensitive": true,
              "value": "{{ VAULT.originorganizationid_iynO7X-configuration.parameters.secretKey.value }}"
          // ...
        // ...
      // ...
      "resourceName": "originorganizationid_iynO7X"
// ...
2 The resourceName of the migrated resource, which you can find in the snapshot JSON content as well.
3 The key of the missing vault entry you are creating, namely originorganizationid-configuration.parameters.secretKey.value.
4 Then, you set the vault entry value to s8h#kj%43s, which is the credential needed to access the content your source indexes.
5 You set the unique identifier of the destination organization as the value of the organizationId parameter.

After sending this request, you go back to the Administration Console and check that your snapshot prerequisites are now satisfied.

Successful migration check after adding vault entry
What's next for me?