vault

package
v1.3.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 10, 2020 License: GPL-3.0 Imports: 20 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	// Name is the Provider name
	Name = "vault"

	// VaultKeysSeparator is the separator between vault keys in KeysEnvVar
	VaultKeysSeparator = ":"

	// VaultKeySeparator is the separator between key and version in KeysEnvVar
	VaultKeySeparator = "@"
)
View Source 
const (
	EnvAwsAccessKeyId        = "AWS_ACCESS_KEY_ID"
	EnvAwsProfile            = "AWS_PROFILE"
	EnvAwsSecretAccessKey    = "AWS_SECRET_ACCESS_KEY"
	EnvAwsSessionToken       = "AWS_SESSION_TOKEN"
	EnvAwsSharedCredFile     = "AWS_SHARED_CREDENTIALS_FILE"
	EnvGoogleCredFile        = "GOOGLE_CREDENTIALS_FILE"
	EnvGoogleToken           = "GCP_TOKEN"
	EnvKubernetesServiceHost = "KUBERNETES_SERVICE_HOST"
	EnvKubernetesServicePort = "KUBERNETES_SERVICE_PORT"
	EnvVaultAppJWT           = "VAULT_APP_JWT"
	EnvVaultAppRole          = "VAULT_APP_ROLE"
	EnvVaultAppSecret        = "VAULT_APP_SECRET"
	EnvVaultAuthData         = "VAULT_AUTH_DATA"
	EnvVaultAuthMethod       = "VAULT_AUTH_METHOD"
	EnvVaultAuthPath         = "VAULT_AUTH_PATH"
	EnvVaultAwsPath          = "VAULT_AWS_PATH"
	EnvVaultAwsRole          = "VAULT_AWS_ROLE"
	EnvVaultIamRole          = "VAULT_IAM_ROLE"
	EnvVaultGcpCredType      = "VAULT_GCP_CRED_TYPE"
	EnvVaultGcpPath          = "VAULT_GCP_PATH"
	EnvVaultGcpRole          = "VAULT_GCP_ROLE"
	EnvVaultKeys             = "VAULT_KV_KEYS"
	EnvVestExposeVaultToken  = "VEST_VAULT_EXPOSE_TOKEN"
)

Variables

View Source 
var (
	// ErrVaultEmptyResponse is returned when vault respondes with no data
	ErrVaultEmptyResponse = errors.New("no data returned from vault")
	// ErrVaultUnexpectedResponse is returned when vault does not respond with the expected data
	ErrVaultUnexpectedResponse = errors.New("unexpected response from vault")
	// ErrNotInKubernetes is returned when vestibule is not running in a kubernetes cluster
	ErrNotInKubernetes = errors.New("not running in kubernetes cluster")
	// ErrInvalidKVKey is returned when the given key is invalid
	ErrInvalidKVKey = errors.New("invalid vault KV key")
	// ErrUnexpectedVaultResponse is returned when vault returns something we cannot handle
	ErrUnexpectedVaultResponse = errors.New("unexpected response from vault")

	// EnvVars is a map of known vonfiguration environment variables and their usage descriptions
	EnvVars = map[string]string{
		EnvVaultKeys: `If VAULT_KV_KEYS is set, will iterate over each key (colon separated), attempting to get the secret from Vault.
Secrets are pulled at the optional version or latest, then injected into Environ. If running in Kubernetes,
the Pod's ServiceAccount token will automatically be looked up and used for Vault authentication.
e.g. VAULT_KV_KEYS=/path/to/key1[@version]:/path/to/key2[@version]:...`,
		EnvVaultAwsRole: `Name of the aws role to generate credentials against. If credentials are returned, the access key and secret key will be injected into
the process environment using the standard environment variables and a credentials file will be written to
the path from AWS_SHARED_CREDENTIALS_FILE (by default "/var/run/aws/credentials")`,
		"VAULT_*":               "All vault client configuration environment variables are respected. More information at https://www.vaultproject.io/docs/commands/#environment-variables",
		EnvVaultIamRole:         "[DEPRECATED] Name of the aws role to generate credentials against.",
		EnvAwsProfile:           `AWS profile to use in the shared credentials file. Defaults to "default"`,
		EnvAwsSharedCredFile:    `Path to the AWS shared credentials file to write credentials to. Defaults to "/var/run/aws/credentials"`,
		EnvGoogleCredFile:       `Path to the GCP service account credentials file to create. Defaults to "/var/run/gcp/creds.json"`,
		EnvVaultAppJWT:          "The jwt for use with OIDC/JWT authentication",
		EnvVaultAppRole:         "Either the role id for AppRole authentication, or the role name fo Kubernetes authentication.",
		EnvVaultAppSecret:       "The secret id for use with AppRole authentication",
		EnvVaultAuthData:        "Data payload to send with authentication request. JSON object.",
		EnvVaultAuthMethod:      `Authentication method for vault. Default is "kubernetes".`,
		EnvVaultAuthPath:        "Authentication path for vault authentication - e.g. okta/login/:user. Overrides VAULT_AUTH_METHOD if set.",
		EnvVaultAwsPath:         `Mountpoint for the vault AWS secret engine. Defaults to "aws".`,
		EnvVaultGcpCredType:     "GCP credential type to generate. Defaults to key. Accepted values are [token key]",
		EnvVaultGcpPath:         `Mountpoint for the vault GCP secret engine. Defaults to "gcp".`,
		EnvVaultGcpRole:         "Name of the GCP role in vault to generate credentials against.",
		EnvVestExposeVaultToken: "Should we expose the resulting vault token, even if vest generated it, for the sub-process? (POTENTIALLY INSECURE -- USE WITH CAUTION!)",
	}
)

Functions

func New 

func New() (environ.Provider, error)

New returns a Client as an environ.Provider or an error if configuring failed. If running in a Kubernetes cluster and not provided a token, will use the service account token.

Types

type Client 

type Client struct {
	*api.Client
	AuthMethod  string              `env:"VAULT_AUTH_METHOD"`
	AuthPath    string              `env:"VAULT_AUTH_PATH"`
	AuthData    *RedactableAuthData `env:"VAULT_AUTH_DATA"`
	AppRole     string              `env:"VAULT_APP_ROLE"`
	AppSecret   string              `env:"VAULT_APP_SECRET"`
	AppJWT      string              `env:"VAULT_APP_JWT"`
	AwsRole     string              `env:"VAULT_AWS_ROLE"`
	IamRole     string              `env:"VAULT_IAM_ROLE"`
	AwsPath     string              `env:"VAULT_AWS_PATH" envDefault:"aws"`
	AwsCredFile string              `env:"AWS_SHARED_CREDENTIALS_FILE" envDefault:"/var/run/aws/credentials"`
	AwsProfile  string              `env:"AWS_PROFILE" envDefault:"default"`
	GcpPath     string              `env:"VAULT_GCP_PATH" envDefault:"gcp"`
	GcpRole     string              `env:"VAULT_GCP_ROLE"`
	GcpCredType string              `env:"VAULT_GCP_CRED_TYPE" envDefault:"key"`
	GcpCredFile string              `env:"GOOGLE_CREDENTIALS_FILE" envDefault:"/var/run/gcp/creds.json"`
	ExposeToken bool                `env:"VEST_VAULT_EXPOSE_TOKEN" envDefault:false`
	Keys        []KVKey             `env:"VAULT_KV_KEYS" envSeparator:":"`
}

Client is an environ.Provider and github.com/hashicorp/vault/api.Client which will get the requested keys

func (*Client) AddToEnviron 

func (client *Client) AddToEnviron(env *environ.Environ) error

AddToEnviron iterates through the given []VaultKeys, decoding the data returned from each key into a map[string]string and merging it into the environ.Environ

func (*Client) SetAuthMethod added in v1.2.0 

func (client *Client) SetAuthMethod()

SetAuthMethod sets the AuthMethod if not already set

func (*Client) SetLoginPath added in v1.2.0 

func (client *Client) SetLoginPath()

SetLoginPath sets the api path to login with vault for the auth method

func (*Client) SetVaultToken added in v1.2.0 

func (client *Client) SetVaultToken() error

SetVaultToken sets the AuthMethod and AuthPath if not already set and uses those to request a session token from vault

type KVKey added in v0.1.0 

type KVKey struct {
	Path    string
	Version *int
}

KVKey is a kv ver2 key in Vault

type KVKeys added in v0.1.0 

type KVKeys []KVKey

KVKeys is an alias for []*KVKey. Needed for caarlos0/env to support parsing.

type RedactableAuthData added in v1.2.7 

type RedactableAuthData struct {
	// contains filtered or unexported fields
}

func (*RedactableAuthData) String added in v1.2.7 

func (vd *RedactableAuthData) String() string

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.