Vault-Key makes it easy to use Vault with the Google Cloud Auth Method. It uses a GCP service account and JSON web tokens to log in to Vault securely and without a password. Then it retrieves the secrets you need and makes them available in your code, hassle free.
This project also makes it easy to interact with Vault using Github Authentication. Interaction is not only limited to retrieval, pkg/vault allows you to manage secrets as well.
package main
import (
"context"
"fmt"
"github.com/teamsnap/vault-key/pkg/vault"
)
var env = map[string]map[string]string{}
var envArr = []string{
"secret-engine/data/secret-name",
"secret-engine-2/data/another-secret-name",
}
func main() {
ctx := context.Background()
vault.GetSecrets(ctx, &env, envArr)
fmt.Println("Secret values:", env)
fmt.Println("secret-key value = " + env["secret-engine/data/secret-name"]["secret-key"])
fmt.Println("secret-key-2 value = " + env["secret-engine-2/data/another-secret-name"]["secret-key-2"])
}
const vault = require('@teamsnap/vault-key')
const secrets = [
'secret-engine/data/secret-name',
'secret-engine-2/data/another-secret-name'
]
const secretData = vault.getSecrets(secrets)
console.log('Secret values:', JSON.stringify(secretData, null, 4))
console.log(`secret-key value = ${secretData['secret-engine/data/secret-name']['secret-key']}`)
console.log(`secret-key-2 value = ${secretData['secret-engine-2/data/another-secret-name']['secret-key-2']}`)
require 'vault-key'
secrets = [
"secret-engine/data/secret-name",
"secret-engine-2/data/another-secret-name"
]
secretData = Vault.getSecrets(secrets)
puts secretData
puts secretsData["secret-engine/data/secret-name"]["secret-key"]
puts secretsData["secret-engine-2/data/another-secret-name"]["secret-key-2"]
Environment Variable | Default | Required (GCP) | Required (other environments) | Example | Description |
---|---|---|---|---|---|
ENVIRONMENT |
"development" |
No | No | production |
If set to anything but production , prints trace level logs |
FUNCTION_IDENTITY |
"" |
No | Yes | my-project-123@appspot.gserviceaccount.com |
Email address associated with service account (Required for Google Authentication) |
GITHUB_OAUTH_TOKEN |
"" |
No | No | 1234abcd |
GitHub Personal Access Token (When set, disables Google Authentication) |
GCLOUD_PROJECT |
"" |
No | No | my-project-123 |
Project ID the service account belongs to |
GOOGLE_APPLICATION_CREDENTIALS |
"" |
No | No | service-account/my-project-123.serviceaccount.json |
Path to service account credentials file |
TRACE_ENABLED |
"false" |
No | No | true |
Whether or to enable opencensus tracing |
TRACE_PREFIX |
"vault" |
No | No | my-company |
Prefix added to name of tracing spans |
VAULT_ADDR |
"" |
Yes | Yes | https://vault.my-company.com |
Vault address including protocol |
VAULT_ROLE |
"" |
Yes | No | vault-role-cloud-functions |
Name of role created in Vault for GCP auth. (Required for Google Auth) |
This project also allows you to use GitHub Personal Access tokens for Vault. You'll need to configure a personal access token for a user configured with Vault access. Note that this authentication method is only enabled when the GITHUB_OAUTH_TOKEN
environment variable is set. When not set, this project defaults to Google authentication method specified below.
Because this project uses the Google Cloud auth method for Vault, you'll need to configure a role for the service account you're using. By default, for Google Cloud Functions that will be <project-id>@appspot.gserviceaccount.com
. You can use the Terraform example to get you started.
Integrating Vault with Kubernetes is easy to do with this project.
There are examples of two different strategies.
- Using an init container and a shared volume to write a secret to a
.env
file that your app can read in when it's container starts - Running a job or cronjob to sync Vault secrets with Kubernetes secrets that your deployments can read in like they would any other k8s secrets.