2.8 KiB
Luzifer / vault2env
vault2env
is a really small utility to transfer fields of a key in Vault into the environment. It uses the app-role
or simple token authentication to identify itself with the Vault server, fetches all fields in the specified keys and returns export directives for bash / zsh. That way you can do eval
stuff and pull those fields into your ENV. If you don't want to use export directives you also can pass commands to vault2env
to be executed using those environment variables.
Usage
In general this program can either output your ENV variables to use with eval
or similar or it can run a program with populated environment.
$ vault2env --key=<secret path> <command>
<program is started, you see its output>
$ vault2env --export --key=<secret path>
export ...
In case you have a command with arguments you need to separate the command using double dashes, which is a feature of your shell:
$ vault2env --key=<secret path> -- <command with arguments>
This prevents vault2env
from interpreting and complaining about the arguments passed to the sub-command.
Using evironment variables
# export VAULT_ADDR="https://127.0.0.1:8200"
# export VAULT_ROLE_ID="29c8febe-49f5-4620-a177-20dff0fda2da"
# export VAULT_SECRET_ID="54d24f66-6ecb-4dcc-bdb7-0241a955f1df"
# vault2env --export --key=secret/my/path/with/keys
export FIRST_KEY="firstvalue"
export SECOND_KEY="secondvalue"
# eval $(vault2env --export --key=secret/my/path/with/keys)
# echo "${FIRST_KEY}"
firstvalue
Using CLI parameters
The command does differ only with its parameters specified for the different authentication mechanisms:
- When using AppRole you need to specify
--vault-role-id
and optionally--vault-secret-id
if you're using thebind_secret_id
flag for your AppRole - When using Token auth only specify
--vault-token
# vault2env --vault-addr="..." --vault-app-id="..." --vault-user-id="..." --key=secret/my/path/with/keys
export FIRST_KEY="firstvalue"
export SECOND_KEY="secondvalue"
Though it's possible to use CLI parameters I strongly recommend to stick to the ENV variant as it's possible under certain conditions to read CLI parameters on a shared system using for example ps aux
.