This repo is deprecated and is now maintained by TeamSnap at TeamSnap/vault-key.
This repo makes it easy to use Vault with GCP auth. It uses a GCP service account and JSON web tokens to login to Vault without a password. Then it retrieves the secrets you need and makes them available in your code, hassle free.
package main
import (
"context"
"fmt"
"github.com/stevenaldinger/vault/pkg/vault"
)
var env = map[string]map[string]string{}
var envArr = []string{
"secret-engine/data/secret-name",
"secret-engine-2/data/another-secret-name",
}
func main() {
ctx := context.Background()
vault.GetSecrets(ctx, &env, envArr)
fmt.Println("Secret values:", env)
fmt.Println("secret-key value = " + env["secret-engine/data/secret-name"]["secret-key"])
fmt.Println("secret-key-2 value = " + env["secret-engine-2/data/another-secret-name"]["secret-key-2"])
}const vault = require('@aldinger/vault')
const secrets = [
'secret-engine/data/secret-name',
'secret-engine-2/data/another-secret-name'
]
const secretData = vault.getSecrets(secrets)
console.log('Secret values:', JSON.stringify(secretData, null, 4))
console.log(`secret-key value = ${secretData['secret-engine/data/secret-name']['secret-key']}`)
console.log(`secret-key-2 value = ${secretData['secret-engine-2/data/another-secret-name']['secret-key-2']}`)require 'vault'
secrets = [
"secret-engine/data/secret-name",
"secret-engine-2/data/another-secret-name"
]
secretData = Vault.getSecrets(secrets)
puts secretData
puts secretsData["secret-engine/data/secret-name"]["secret-key"]
puts secretsData["secret-engine-2/data/another-secret-name"]["secret-key-2"]| Environment Variable | Default | Required (GCP) | Required (other environments) | Example | Description |
|---|---|---|---|---|---|
ENVIRONMENT |
"development" |
No | No | production |
If set to anything but production, prints trace level logs |
FUNCTION_IDENTITY |
"" |
No | Yes | [email protected] |
Email address associated with service account |
GCLOUD_PROJECT |
"" |
No | Yes | my-project-123 |
Project ID the service account belongs to |
GOOGLE_APPLICATION_CREDENTIALS |
"" |
No | Yes | service-account/my-project-123.serviceaccount.json |
Path to service account credentials file |
TRACE_ENABLED |
"false" |
No | No | true |
Whether or to enable opencensus tracing |
TRACE_PREFIX |
"vault" |
No | No | my-company |
Prefix added to name of tracing spans |
VAULT_ADDR |
"" |
Yes | Yes | https://vault.my-company.com |
Vault address including protocol |
VAULT_ROLE |
"" |
Yes | Yes | vault-role-cloud-functions |
Name of role created in Vault for GCP auth |
Because this project uses the Google Cloud auth method for Vault, you'll need to configure a role for the service account you're using. By default, for Google Cloud Functions that will be <project-id>@appspot.gserviceaccount.com. You can use the Terraform example to get you started.
Integrating Vault with Kubernetes is easy to do with this project.
There are examples of two different strategies.
- Using an init container and a shared volume to write a secret to a
.envfile that your app can read in when it's container starts - Running a job or cronjob to sync Vault secrets with Kubernetes secrets that your deployments can read in like they would any other k8s secrets.
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent