Giter VIP home page Giter VIP logo

vault-to-envs's Introduction

Vault to Env Build Status GoDoc Go Report Card License

A Docker container for extracting Vault secrets into environment variables for use in deploys or development.

Prerequisites

  • A Vault instance
  • A Valid Authentication Token

Basic Usage

docker run \
  --rm \
  -e VAULT_ADDR="https://vault.my-domain.com:8200" \
  -e VAULT_TOKEN="<token>" \
  -e SECRET_CONFIG_FILE="./secrets.json"
  premiereglobal/vault-to-envs:latest

Output:

export DB_PASSWORD=abc123
export AWS_ACCESS_KEY_ID=abc123
export AWS_SECRET_KEY=abc123

Docker Environment Variables

To customize some properties of the container, the following environment variables can be passed via the -e parameter (one for each variable). Value of this parameter has the format <VARIABLE_NAME>=<VALUE>.

Variable Description Default/Required
VAULT_ADDR The full address of the instance of vault to connect to. For example https://vault.my-domain.com:8200 required
VAULT_TOKEN Vault token to use for authentication. required
SECRET_CONFIG Definition of which secrets/keys to extract and what environment variables to set them to. See below for more details. required if SECRET_CONFIG_FILE not set
SECRET_CONFIG_FILE Location of a secret config file. required if SECRET_CONFIG not set
DEBUG Set to true to output verbose details during execution false

Configuration

This container is configured with a JSON formatted string or file (SECRET_CONFIG or SECRET_CONFIG_FILE) which describes the secrets, env variables, ttl and versions to extract.

Examples

Key-Value Secrets

Take an example where we have two secrets. The first contains 3 keys with database information. The second contains some type of token.

secret_config.json

[
  {
    "vault_path": "secret/app/database",
    "set": {
      "DB_HOST": "dbHost",
      "DB_USER": "dbUser",
      "DB_PASSWORD": "dbPass"
    }
  },
  {
    "vault_path": "secret/app/token",
    "set":  {
      "APP_TOKEN": "token"
    }
  }
]

Command

docker run \
  --rm \
  -v $(pwd):/config \
  -e VAULT_ADDR="https://vault.my-domain.com:8200" \
  -e VAULT_TOKEN="<token>" \
  -e SECRET_CONFIG_FILE=/config/secret_config.json \
  premiereglobal/vault-to-envs:latest

Output

export DB_HOST='xxxxxxxxxxxxxx'
export DB_USER='xxxxxx'
export DB_PASSWORD='xxxxxxxxxxxxxxx'
export APP_TOKEN='xxxxxxxxxxxxxxxxx'

Dynamic Secrets

This example uses Vault's AWS Secret Backend to create an access/secret key for an AWS account. The only difference in this example is that we can set a TTL that will try to be met, if allowed. If no TTL is set, the lease duration will be whatever default is configured within Vault.

secret_config.json

[
  {
    "vault_path": "aws/creds/my-role",
    "ttl": 600,
    "set": {
      "AWS_ACCESS_KEY_ID": "access_key",
      "AWS_SECRET_ACCESS_KEY": "secret_key"
    }
  }
]

Command

docker run \
  --rm \
  -e VAULT_ADDR="https://vault.my-domain.com:8200" \
  -e VAULT_TOKEN="<token>" \
  -e SECRET_CONFIG="$(cat secret_config.json)" \
  premiereglobal/vault-to-envs:latest

Output

export AWS_ACCESS_KEY_ID='xxxxxxxxxxxxxxxxxx'
export AWS_SECRET_ACCESS_KEY='xxxxxxxxxxxxxxxxxxxxxxxxx'

Key-Value (Version 2) Secrets

This example pulls secrets from Vault's KV V2 data store. With kv-v2, an additional option for version can be specified.

secret_config.json

[
  {
    "vault_path": "kv/app/database",
    "version": 5,
    "set": {
      "DB_HOST": "dbHost",
      "DB_USER": "dbUser",
      "DB_PASSWORD": "dbPass"
    }
  }
]

The config above will pull version 5 of the secret specified.

Additionally, a negative value can be specified for version to "go back" a number of version. For example:

secret_config.json

[
  {
    "vault_path": "kv/app/database",
    "version": -2,
    "set": {
      "DB_HOST": "dbHost",
      "DB_USER": "dbUser",
      "DB_PASSWORD": "dbPass"
    }
  }
]

This will pull the secrets 2 version behind the current version. Note: any deleted version will be skipped over and the next non-deleted secret will be considered.

Sourcing the Env Vars

One way to source the output of the container is to simply eval the docker run output. If a successful run occurs the stdout will be evaluated and the environment variables set.

eval $(docker run \
  --rm \
  -v $(pwd):/config \
  -e VAULT_ADDR="https://vault.my-domain.com:8200" \
  -e VAULT_TOKEN="<token>" \
  -e SECRET_CONFIG_FILE=/config/secret_config.json \
  premiereglobal/vault-to-envs)"

vault-to-envs's People

Contributors

bartlettc22 avatar

Watchers

avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.