#secret

vault-credentials

Rust Library that fetch secrets from Vault and load them as environment variables

8 releases (3 stable)

1.0.2 Jan 5, 2022
1.0.0 Jan 4, 2022
0.4.1 Oct 11, 2021
0.4.0 May 14, 2021
0.1.0 Mar 14, 2021

#128 in #secret

MIT/Apache

11KB
187 lines

Vault Credentials

Rust Library that fetch secrets from Vault and load them as environment variables. Inspired by Spring Cloud Vault.

Getting started

We will assume that you want to retrieve some secrets from your local Vault Server.

This is the json secret located in secret/hello (from Vault perspective, either by using the Vault UI or Vault CLI)

{
  "my-key": "my-value",
  "github.com": {
    "api-key": "123456",
    "base-url": "http://localhost:8080"
  }
}

In your program you must provide the environment variables required to make a connection to the Vault Server and retrieve the token. You can use the .dotenv crate and put the variables in a .env file.

VAULT_ADDR=http://127.0.0.1:8200
VAULT_PATH=hello
VAULT_TYPE=approle
VAULT_ROLE_ID=9bf0581f-[...]-533ba207ec80
VAULT_SECRET_ID=55473ff2-[...]-0ab9ae6e499b

To use the vault_credentials crate in your program, import it and call the initialize method.

use dotenv::dotenv;

#[tokio::main]
async fn main() {
    dotenv().ok();
    vault_credentials::initialize().await;

    println!("{}", std::env::var("github.com.api-key").unwrap());
    // Output: 123456
}

Authentication types

You can use other types of authentication by using VAULT_TYPE. (default is set to token)

Vault Type Required environment variables
token VAULT_TOKEN
approle VAULT_ROLE_ID,VAULT_SECRET_ID
kubernetes VAULT_K8S_AUTH_PATH,VAULT_ROLE_NAME
userpass,ldap VAULT_USERNAME, VAULT_PASSWORD

Namespace

If you use a namespace, you can define it using the environment variable VAULT_NAMESPACE. This will add a header in the requests.

Dependencies

~7–18MB
~253K SLoC