Skip to content

A tool to pass Vault secrets to other processes via environment variables.

License

Notifications You must be signed in to change notification settings

ldb/vaulter-white

Repository files navigation

vaulter-white

A tool to pass Vault secrets to other processes via environment variables.

Build Status Go Report Card

About

vaulter-white reads secrets from Vault and passes them into a newly spawned process using environment variables. It is particularly useful in containerized applications. For example it can be set as the ENTRYPOINT in a Docker container to retrieve production Keys for your App. After loading the secrets into the environment (while also including all existing variables) it will replace itself with a freshly spawned instance of the configurable process.

Note: At the moment only AppRole authentication is supported.

Configuration

vaulter-white is configured via vaulter-white.yaml which will be read from the current directory if not specified otherwise using the -c flag.

Example:

command: ["bash", "-c", "env"]         # Specifies the command to run after loading the secrets.
host: http://vault.rocks:8200          # Host of Vault server.
hostEnv: HOST                          # If "host" is not set, it will be read from this environment variable.
roleId: myAppRole                      # RoleID for AppRole Authentication in Vault.
roleIdEnv: ROLE_ID                     # If "roleId" is not set, it will be read from this environment variable.
secretId: mySuperSecretId              # SecretID for AppRole Authentication in Vault.
secretIdEnv: SECRET_ID                 # If "secretId" is not set, it will be read from this environment variable.
secretMount: /secret/appConfig/        # "secretMount" contains the path to the secret backend holding your keys in Vault.
secrets:                               # "secrets" is a collection of environment variable name overrides for each key.
  awsConfig:
    region: AWS_REGION
    access_key_id: AWS_KEY_ID
    secret_access_key: AWS_SECRET_KEY
  googleAPI:
    apiKey: GOOGLE_API_KEY
  • command is optional and can be passed as command line argument as well (for example: vaulter-white -c config.yaml bash -c env).
  • host will be read from the environment if not set (either by looking at hostEnv or using VAULT_HOST as a fallback). This makes it easy to include vaulter-white in Docker images that are built by CI.
  • secretId will also be read from the environment if not set (either by looking at secretIdEnv or using VAULT_SECRET_ID as a fallback).
  • roleId will also be read from the environment if not set (either by looking at roleIdEnv or using VAULT_ROLE_ID as a fallback).
  • secrets is optional as well. Any keys not listed there will be exported as SECRETNAME_KEY=value.

Note: Secret values should always store flat data types and no marshaled data (e.g JSON Objects). Values that are not strings will be exported as JSON.

Run

To pass the configuration use the -c flag: vaulter-white -c configuration.yaml If no command was specified in the configuration it should be passed as a commandline argument: vaulter-white -c config.yaml bash -c env

About

A tool to pass Vault secrets to other processes via environment variables.

Topics

Resources

License

Stars

Watchers

Forks

Packages

No packages published

Languages