luzifer/git-credential-vault
1
0
Fork 0
mirror of https://github.com/Luzifer/git-credential-vault.git synced 2024-11-09 23:00:13 +00:00
Code Issues Releases Wiki Activity

[docs] Add documentation how to use KV V2 Engine

Browse source 
Signed-off-by: Knut Ahlers <knut@ahlers.me>
This commit is contained in:
Knut Ahlers 2022-01-22 03:24:15 +01:00
parent 7004d4478c
commit f05762a5cf
Signed by: luzifer
GPG key ID: 0066F03ED215AD7D
1 changed files with 24 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

24
README.md
View file

@ -34,6 +34,30 @@ password=myverysecrettoken
protocol=https protocol=https
``` ```
### Vault KV Secrets Engine - Version 2
This tool supports both versions of the Vault KV Secrets Engine. You just need to consider one thing: Version 2 of the KV Secrets Engine does use slightly modified paths for reading secrets. In order to be compatible to both versions of the Secrets Engine you need to adjust the `vault-path-prefix` slightly when using it:
```bash
# Version 1
vault list secret_v1/git-credentials
# Keys
# ----
# github.com
git config --global credential.helper 'vault --vault-path-prefix secret_v1/git-credentials'
```
```bash
# Version 2
vault kv list secret_v2/git-credentials
# Keys
# ----
# github.com
git config --global credential.helper 'vault --vault-path-prefix secret_v2/data/git-credentials'
```
Mind the extra `/data` after the mountpoint for a mountpoint using version 2. If you omit it the tool will not work properly as it will not yield any credentials.
### Dockerfile example (git clone) ### Dockerfile example (git clone)
In this example the `VAULT_TOKEN` is passed in through a build-arg which means you **MUST** revoke the token before pushing the image, otherwise you will be leaking an active credential! In this example the `VAULT_TOKEN` is passed in through a build-arg which means you **MUST** revoke the token before pushing the image, otherwise you will be leaking an active credential!