mirror of
https://github.com/Luzifer/vault2env.git
synced 2024-12-21 04:31:20 +00:00
Enable token auth
This commit is contained in:
parent
f7722d08b4
commit
2fcf918296
2 changed files with 20 additions and 11 deletions
|
@ -4,7 +4,7 @@
|
||||||
|
|
||||||
# Luzifer / vault2env
|
# Luzifer / vault2env
|
||||||
|
|
||||||
`vault2env` is a really small utility to transfer fields of a key in [Vault](https://www.vaultproject.io/) into the environment. It uses the [`app-id` authentication mechanism](https://www.vaultproject.io/docs/auth/app-id.html) to identify itself with the Vault server, fetches all fields in the specified key and returns export directives for bash / zsh. That way you can do `eval` stuff and pull those fields into your ENV.
|
`vault2env` is a really small utility to transfer fields of a key in [Vault](https://www.vaultproject.io/) into the environment. It uses the [`app-id` authentication mechanism](https://www.vaultproject.io/docs/auth/app-id.html) or simple [token authentication](https://www.vaultproject.io/docs/auth/token.html) to identify itself with the Vault server, fetches all fields in the specified key and returns export directives for bash / zsh. That way you can do `eval` stuff and pull those fields into your ENV.
|
||||||
|
|
||||||
## Usage
|
## Usage
|
||||||
|
|
||||||
|
@ -39,3 +39,7 @@ export SECOND_KEY="secondvalue"
|
||||||
```
|
```
|
||||||
|
|
||||||
Though it's possible to use CLI parameters I strongly recommend to stick to the ENV variant as it's possible under certain conditions to read CLI parameters on a shared system using for example `ps aux`.
|
Though it's possible to use CLI parameters I strongly recommend to stick to the ENV variant as it's possible under certain conditions to read CLI parameters on a shared system using for example `ps aux`.
|
||||||
|
|
||||||
|
### Using a token instead of app-id authentication
|
||||||
|
|
||||||
|
This is quite simple: Omit parameters `--vault-app-id` and `--vault-user-id` and their respective ENV variables but set `VAULT_TOKEN` or `--vault-token`.
|
||||||
|
|
25
main.go
25
main.go
|
@ -16,6 +16,7 @@ var (
|
||||||
VaultAddress string `flag:"vault-addr" env:"VAULT_ADDR" default:"https://127.0.0.1:8200" description:"Vault API address"`
|
VaultAddress string `flag:"vault-addr" env:"VAULT_ADDR" default:"https://127.0.0.1:8200" description:"Vault API address"`
|
||||||
VaultAppID string `flag:"vault-app-id" env:"VAULT_APP_ID" default:"" description:"The app-id to use for authentication"`
|
VaultAppID string `flag:"vault-app-id" env:"VAULT_APP_ID" default:"" description:"The app-id to use for authentication"`
|
||||||
VaultUserID string `flag:"vault-user-id" env:"VAULT_USER_ID" default:"" description:"The user-id to use for authentication"`
|
VaultUserID string `flag:"vault-user-id" env:"VAULT_USER_ID" default:"" description:"The user-id to use for authentication"`
|
||||||
|
VaultToken string `flag:"vault-token" env:"VAULT_TOKEN" default:"" description:"Specify a token to use instead of app-id auth"`
|
||||||
Export bool `flag:"export,e" default:"false" description:"Show export statements instead of running the command specified"`
|
Export bool `flag:"export,e" default:"false" description:"Show export statements instead of running the command specified"`
|
||||||
VersionAndExit bool `flag:"version" default:"false" description:"Print program version and exit"`
|
VersionAndExit bool `flag:"version" default:"false" description:"Print program version and exit"`
|
||||||
}{}
|
}{}
|
||||||
|
@ -30,8 +31,8 @@ func init() {
|
||||||
os.Exit(0)
|
os.Exit(0)
|
||||||
}
|
}
|
||||||
|
|
||||||
if cfg.VaultAppID == "" || cfg.VaultUserID == "" {
|
if (cfg.VaultAppID == "" || cfg.VaultUserID == "") && cfg.VaultToken == "" {
|
||||||
log.Fatalf("[ERR] You need to set vault-app-id and vault-user-id")
|
log.Fatalf("[ERR] You need to either set vault-app-id and vault-user-id or set vault-token")
|
||||||
}
|
}
|
||||||
|
|
||||||
if cfg.Export {
|
if cfg.Export {
|
||||||
|
@ -53,15 +54,19 @@ func main() {
|
||||||
log.Fatalf("Unable to create client: %s", err)
|
log.Fatalf("Unable to create client: %s", err)
|
||||||
}
|
}
|
||||||
|
|
||||||
loginSecret, err := client.Logical().Write("auth/app-id/login/"+cfg.VaultAppID, map[string]interface{}{
|
if cfg.VaultToken == "" {
|
||||||
"user_id": cfg.VaultUserID,
|
loginSecret, err := client.Logical().Write("auth/app-id/login/"+cfg.VaultAppID, map[string]interface{}{
|
||||||
})
|
"user_id": cfg.VaultUserID,
|
||||||
if err != nil || loginSecret.Auth == nil {
|
})
|
||||||
log.Fatalf("Unable to fetch authentication token: %s", err)
|
if err != nil || loginSecret.Auth == nil {
|
||||||
}
|
log.Fatalf("Unable to fetch authentication token: %s", err)
|
||||||
|
}
|
||||||
|
|
||||||
client.SetToken(loginSecret.Auth.ClientToken)
|
client.SetToken(loginSecret.Auth.ClientToken)
|
||||||
defer client.Auth().Token().RevokeSelf(client.Token())
|
defer client.Auth().Token().RevokeSelf(client.Token())
|
||||||
|
} else {
|
||||||
|
client.SetToken(cfg.Token)
|
||||||
|
}
|
||||||
|
|
||||||
data, err := client.Logical().Read(rconfig.Args()[1])
|
data, err := client.Logical().Read(rconfig.Args()[1])
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
|
Loading…
Reference in a new issue