mirror of
https://github.com/Luzifer/git-credential-vault.git
synced 2024-11-09 23:00:13 +00:00
2.1 KiB
2.1 KiB
Luzifer / git-credential-vault
git-credential-vault is an implementation of the Git Credential Storage utilizing Vault as storage backend.
The only supported action is get as storage is managed through Vault related tools / the web-UI. The tool expects to find Vault keys per host containing username / password fields in it. Those fields are then combined with the data received from git and sent back for authentication.
Expected Vault structure
secret/git-credentials
+- github.com
| +- username = api
| +- password = verysecrettoken
+- gitlab.com
+- username = user
+- password = anothertoken
Usage
# export VAULT_ADDR=http://localhost:8200
# export VAULT_TOKEN=somesecretvaulttoken
# echo -e "protocol=https\nhost=github.com\n\n" | ./git-credential-vault --vault-path-prefix secret/git-credentials get
host=github.com
username=api
password=myverysecrettoken
protocol=https
Dockerfile example (go get)
In this example the VAULT_TOKEN is passed in through a build-arg which means you MUST revoke the token before pushing the image, otherwise you will be leaking an active credential!
FROM golang:alpine
ARG VAULT_ADDR
ARG VAULT_TOKEN
RUN set -ex \
&& apk --no-cache add git \
&& go get -u -v github.com/Luzifer/git-credential-vault \
&& git config --global credential.helper 'vault --vault-path-prefix secret/git-credentials'
RUN set -ex \
&& go get -v github.com/myuser/secretrepo
# docker build --build-arg VAULT_ADDR=${VAULT_ADDR} --build-arg VAULT_TOKEN=${VAULT_TOKEN} --no-cache .