vaultlib: Index | Examples | Files | Directories

package vaultlib

import ""

Package vaultlib is a lightweight Go library for reading Vault KV secrets. Interacts with Vault server using HTTP API only.

First create a new *config object using NewConfig().

Then create you Vault client using NewClient(*config).

See Also


// Create a new config. Reads env variables, fallback to default value if needed
vcConf := NewConfig()

// Add the Vault approle secretid after having read it from docker secret
// vcConf.AppRoleCredentials.SecretID

// Create new client
vaultCli, err := NewClient(vcConf)
if err != nil {

// Get the Vault KV secret from kv_v1/path/my-secret
kvV1, err := vaultCli.GetSecret("kv_v1/path/my-secret")
if err != nil {
for k, v := range kvV1.KV {
    fmt.Printf("Secret %v: %v\n", k, v)
// Get the Vault KVv2 secret kv_v2/path/my-secret
kvV2, err := vaultCli.GetSecret("kv_v2/path/my-secret")
if err != nil {
for k, v := range kvV2.KV {
    fmt.Printf("Secret %v: %v\n", k, v)
jsonSecret, err := vaultCli.GetSecret("kv_v2/path/json-secret")
if err != nil {
fmt.Println(fmt.Sprintf("%v", jsonSecret.JSONSecret))



Package Files

auth.go client.go conf.go request.go util.go vault.go

type AppRoleCredentials Uses

type AppRoleCredentials struct {
    RoleID   string `json:"role_id"`
    SecretID string `json:"secret_id"`

AppRoleCredentials holds the app role secret and role ids

type Client Uses

type Client struct {
    // contains filtered or unexported fields

Client holds the vault client

func NewClient Uses

func NewClient(c *Config) (*Client, error)

NewClient returns a new client based on the provided config


myConfig := NewConfig()
myVaultClient, err := NewClient(myConfig)
if err != nil {

func (*Client) GetSecret Uses

func (c *Client) GetSecret(path string) (secret Secret, err error)

GetSecret returns the Vault secret object

KV: map[string]string if the secret is a KV

JSONSecret: json.RawMessage if the secret is a json

func (*Client) GetStatus Uses

func (c *Client) GetStatus() string

GetStatus return the last action status/log

func (*Client) GetTokenInfo Uses

func (c *Client) GetTokenInfo() *VaultTokenInfo

GetTokenInfo returns the current token information

func (*Client) IsAuthenticated Uses

func (c *Client) IsAuthenticated() bool

IsAuthenticated returns bool if last call to vault was ok


myConfig := NewConfig()
myVaultClient, err := NewClient(myConfig)
if err != nil {
if myVaultClient.IsAuthenticated() {
    fmt.Println("myVaultClient's connection is ok")

func (*Client) RawRequest Uses

func (c *Client) RawRequest(method, path string, payload interface{}) (result json.RawMessage, err error)

RawRequest create and execute http request against Vault HTTP API for client. Use the client's token for authentication.

Specify http method, Vault path (ie /v1/auth/token/lookup) and optional json payload. Return the Vault JSON response .

type Config Uses

type Config struct {
    Address            string
    MaxRetries         int
    Timeout            time.Duration
    CACert             string
    InsecureSSL        bool
    AppRoleCredentials *AppRoleCredentials
    Token              string

Config holds the vault client config

func NewConfig Uses

func NewConfig() *Config

NewConfig returns a new configuration based on env vars or default value.

Reads ENV:

VAULT_ADDR            Vault server URL (default http://localhost:8200)
VAULT_ROLEID          Vault app role id
VAULT_SECRETID        Vault app role secret id
VAULT_TOKEN           Vault Token (in case approle is not used)
VAULT_CACERT          Path to CA pem file
VAULT_SKIP_VERIFY     Do not check SSL

Modify the returned config object to adjust your configuration.


myConfig := NewConfig()
myConfig.Address = "http://localhost:8200"

type Secret Uses

type Secret struct {
    KV         map[string]string
    JSONSecret json.RawMessage

Secret holds the secret.

KV contains data in case of KV secret.

JSONSecret contains data in case of JSON raw secret.

type VaultTokenInfo Uses

type VaultTokenInfo struct {
    Accessor       string      `json:"accessor"`
    CreationTime   int         `json:"creation_time"`
    CreationTTL    int         `json:"creation_ttl"`
    DisplayName    string      `json:"display_name"`
    EntityID       string      `json:"entity_id"`
    ExpireTime     interface{} `json:"expire_time"`
    ExplicitMaxTTL int         `json:"explicit_max_ttl"`
    ID             string      `json:"id"`
    IssueTime      time.Time   `json:"issue_time"`
    Meta           interface{} `json:"meta"`
    NumUses        int         `json:"num_uses"`
    Orphan         bool        `json:"orphan"`
    Path           string      `json:"path"`
    Policies       []string    `json:"policies"`
    Renewable      bool        `json:"renewable"`
    TTL            int         `json:"ttl"`
    Type           string      `json:"type"`

VaultTokenInfo holds the Vault token information



Package vaultlib imports 16 packages (graph) and is imported by 1 packages. Updated 2019-02-05. Refresh now. Tools for package owners.