#vault #hashi-corp #variables #secret #terraform #read #json

bin+lib vault-vars

A tool to fetch secrets from Hashicorp Vault and inject them into variable files for hashicorp terraform

3 releases

0.0.4 Mar 26, 2023
0.0.2 Mar 19, 2023
0.0.1 Mar 19, 2023

#1004 in Authentication

32 downloads per month

AGPL-3.0

21KB
360 lines

VERY Pre-Beta

This is a work in progress tool. Right now it doesn't do much except merge some yaml files together.

vault-vars

Vault-vars is a command line tool to allow you to read secrets from Hashicorp Vault and save them to a terraform auto.tfvars.json file.

Installation:

cargo install vault-vars

Usage:

By default, the tool will read as input any file that matches the name *vault-vars.yaml or *vault-vars.yml.

By default, the tool will output the merged json representation of all the input files to: vv.auto.tfvars.json

Work in progress:

The base goal:

The eventual goal is that the tool will be able to read entries like this:

appCreds:
    username:
        @vault:
        	path: secret/app/credentials
        	subpath: username
    password:
        @vault:
        	path: secret/app/credentials
        	subpath: password

and use the @vault config to read secrets from vault.

appCreds:
    username: iamroot
    password: password123

Shorthands:

There will be various shorthands as well. For example:

appCreds:
  @vault: secret/app/credentials

Will read the secret at the given path and write every key value pair under it:

appCreds:
  username: iamroot
  password; password123

Stretch Goals:

  • support both read and write operations (e.g.: when fetching a PKI cert from vault)
  • support other secret engine sources
    • AWS Vault
    • Azure Vault
    • Apple Keychain

Dependencies

~3–4.5MB
~87K SLoC