21h
/
vault-retriever
Watch 1
Star 0
Fork 0
Code Pull Requests 0 Releases 4 Activity
Retrieves secrets from Vault and saves to disk as JSON files
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
21 Commits
1 Branch
Branch: master
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'master'
${ noResults }
Vladimir Smagin 97b2c5f33d create DEBIAN dir if absent 3 weeks ago
build/deb create DEBIAN dir if absent 3 weeks ago
cmd fix readme 3 weeks ago
test add console arguments 3 weeks ago
vendor add console arguments 3 weeks ago
.gitignore add package and image build 3 weeks ago
Dockerfile add package and image build 3 weeks ago
Jenkinsfile move deb to repo build directory 3 weeks ago
README.md fix readme 3 weeks ago
go.mod add console arguments 3 weeks ago
go.sum add package and image build 3 weeks ago
license.txt added env expressions generation in stdout, removed unncessesary looging 4 weeks ago
main.go add console arguments 3 weeks ago
test-config.yaml added env expressions generation in stdout, removed unncessesary looging 4 weeks ago

README.md

Vault secrets retriever

This small program can retrieve secret from Vault’s path and save as local json file or expose as ENV variable expression.

Vault connection

So you need to specify Vault URL and Token to get connection established.

You can specify Vault URL (by priority):

  • set ENV variable VAULT_RETRIEVER_ADDRESS
  • set argument --vault in command line
  • set value vault.address in configuration file

You can specify Vault Token (by priority):

  • set ENV variable VAULT_RETRIEVER_TOKEN
  • set argument --token in command line
  • set value vault.token in configuration file

If credentials not set program return code 1.

Configuration

You need to create a config file somewhere (or mount it to container) with connection settings and secrets to get. You can specify configuration with ENV variable VAULT_RETRIEVER_FILE or command line argument --config. Fallback filename is vault.yaml.

Sample config file with connection parameters and secrets:

vault:
  address: https://vault.blindage.org
  token: s.otBH1tQ5IMDZRBJC1SEuTEPX
  # Set output env format, https://golang.org/pkg/fmt/
  # Default: %v="%v"
  envFormat: 'export %v="%v"'

secrets:
    # Set secret path in Vault
  - path: /ssh-vault-test/public/vlad
    # Save to specified file 
    # By default complete json data, but not is this case, see below
    file: test/secret-vlad.json
    # If "key" presents it will return only plain value of this key, not json
    key: username
    # Return value as ENV expression
    # Result in console stdout as defined env format:
    # export SSH_USERNAME="vlad"
    env: "SSH_USERNAME"

    # Save complete data in json format to file
  - path: /ssh-vault-test/public/anya
    file: test/secret-anya.json

    # Return value as ENV expression, no save to file
    # Result in console stdout:
    # export SSH_NAME="Kot Koteykin"
  - path: /ssh-vault-test/public/kot
    key: name
    env: "SSH_NAME"

Show help screen with arguments:

$> ./vault-retriever -h
vault-retriever exposes secrets from Vault to ENV variables and/or files.
        Read documentation here https://git.blindage.org/21h/vault-retriever

Usage:
  vault-retriever [flags]

Flags:
  -c, --config string   Configuration file
  -h, --help            help for vault-retriever
  -t, --token string    Vault Token
  -v, --vault string    Vault URL

Good luck.

Copyright by Vladimir Smagin (21h) 2019
http://blindage.org email: 21h@blindage.org
Project page: https://git.blindage.org/21h/vault-retriever