diff --git a/README.md b/README.md index 24e407a..bab9c10 100644 --- a/README.md +++ b/README.md @@ -4,7 +4,7 @@ # Luzifer / vault2env -`vault2env` is a really small utility to transfer fields of a key in [Vault](https://www.vaultproject.io/) into the environment. It uses the [`app-id` authentication mechanism](https://www.vaultproject.io/docs/auth/app-id.html) to identify itself with the Vault server, fetches all fields in the specified key and returns export directives for bash / zsh. That way you can do `eval` stuff and pull those fields into your ENV. +`vault2env` is a really small utility to transfer fields of a key in [Vault](https://www.vaultproject.io/) into the environment. It uses the [`app-id` authentication mechanism](https://www.vaultproject.io/docs/auth/app-id.html) or simple [token authentication](https://www.vaultproject.io/docs/auth/token.html) to identify itself with the Vault server, fetches all fields in the specified key and returns export directives for bash / zsh. That way you can do `eval` stuff and pull those fields into your ENV. ## Usage @@ -39,3 +39,7 @@ export SECOND_KEY="secondvalue" ``` Though it's possible to use CLI parameters I strongly recommend to stick to the ENV variant as it's possible under certain conditions to read CLI parameters on a shared system using for example `ps aux`. + +### Using a token instead of app-id authentication + +This is quite simple: Omit parameters `--vault-app-id` and `--vault-user-id` and their respective ENV variables but set `VAULT_TOKEN` or `--vault-token`. diff --git a/main.go b/main.go index ae0896a..f5f0b67 100644 --- a/main.go +++ b/main.go @@ -16,6 +16,7 @@ var ( VaultAddress string `flag:"vault-addr" env:"VAULT_ADDR" default:"https://127.0.0.1:8200" description:"Vault API address"` VaultAppID string `flag:"vault-app-id" env:"VAULT_APP_ID" default:"" description:"The app-id to use for authentication"` VaultUserID string `flag:"vault-user-id" env:"VAULT_USER_ID" default:"" description:"The user-id to use for authentication"` + VaultToken string `flag:"vault-token" env:"VAULT_TOKEN" default:"" description:"Specify a token to use instead of app-id auth"` Export bool `flag:"export,e" default:"false" description:"Show export statements instead of running the command specified"` VersionAndExit bool `flag:"version" default:"false" description:"Print program version and exit"` }{} @@ -30,8 +31,8 @@ func init() { os.Exit(0) } - if cfg.VaultAppID == "" || cfg.VaultUserID == "" { - log.Fatalf("[ERR] You need to set vault-app-id and vault-user-id") + if (cfg.VaultAppID == "" || cfg.VaultUserID == "") && cfg.VaultToken == "" { + log.Fatalf("[ERR] You need to either set vault-app-id and vault-user-id or set vault-token") } if cfg.Export { @@ -53,15 +54,19 @@ func main() { log.Fatalf("Unable to create client: %s", err) } - loginSecret, err := client.Logical().Write("auth/app-id/login/"+cfg.VaultAppID, map[string]interface{}{ - "user_id": cfg.VaultUserID, - }) - if err != nil || loginSecret.Auth == nil { - log.Fatalf("Unable to fetch authentication token: %s", err) - } + if cfg.VaultToken == "" { + loginSecret, err := client.Logical().Write("auth/app-id/login/"+cfg.VaultAppID, map[string]interface{}{ + "user_id": cfg.VaultUserID, + }) + if err != nil || loginSecret.Auth == nil { + log.Fatalf("Unable to fetch authentication token: %s", err) + } - client.SetToken(loginSecret.Auth.ClientToken) - defer client.Auth().Token().RevokeSelf(client.Token()) + client.SetToken(loginSecret.Auth.ClientToken) + defer client.Auth().Token().RevokeSelf(client.Token()) + } else { + client.SetToken(cfg.Token) + } data, err := client.Logical().Read(rconfig.Args()[1]) if err != nil {