Documentation ¶
Overview ¶
vault handles the Hashicorp Vault secret store. It uses the default Vault environment variables for configuration and adds a couple more. If you supply a token by some means, it will use that. If not, it will either fetch a token from a specified file, or fall back to userpass auth.
You should provide at least the following:
- VAULT_ADDR - URL of the Vault server
- VAULT_MAX_RETRIES - API retries before Vault fails
- VAULT_TOKEN - Optional if specified in a file or using userpass
- VAULT_TOKEN_FILE - Where to cache Vault tokens between calls to the executor on the same host.
- VAULT_TTL - The TTL in seconds of the Vault Token we'll have issued note that the grace period is one hour so shorter than 1 hour is not possible.
Index ¶
- Constants
- func CacheToken(token string)
- func GetTTL() int
- func GetToken(client TokenAuthHandler) error
- func GetTokenFromFile(tokenFile string) (string, error)
- func GetTokenWithLogin(client TokenAuthHandler, ttl int) (string, error)
- type EnvVault
- func (v EnvVault) DecryptAllEnv(envs []string) ([]string, error)
- func (v EnvVault) GetAWSCredsLease(role string) (*VaultAWSCredsLease, error)
- func (v EnvVault) MaybeRevokeToken() error
- func (v EnvVault) ReadSecretValue(vaultURL string) (string, error)
- func (v EnvVault) RenewAWSCredsLease(awsCredsLease *VaultAWSCredsLease, ttl int) (*VaultAWSCredsLease, error)
- func (v EnvVault) RevokeAWSCredsLease(leaseID, role string) error
- type EnvVaultConfig
- type TokenAuthHandler
- type Vault
- type VaultAPI
- type VaultAWSCredsLease
- type VaultAWSCredsResponse
Constants ¶
const ( VaultURLScheme = "vault" VaultDefaultKey = "value" DefaultAWSRoleTTL = 3600 // 1 hour )
const ( DefaultTokenTTL = 86400 // 1 day TokenGracePeriod = 3600 // 1 hour StartupGracePeriod = 600 // 10 minutes )
Variables ¶
This section is empty.
Functions ¶
func CacheToken ¶ added in v1.5.0
func CacheToken(token string)
CacheToken caches the token for all the other executors to use
func GetTTL ¶ added in v1.1.0
func GetTTL() int
GetTTL attempts to grab a TTL from the environment and then falls back to the configured default if none is found.
func GetToken ¶ added in v1.1.0
func GetToken(client TokenAuthHandler) error
GetToken uses username and password auth to get a Vault Token
func GetTokenFromFile ¶ added in v1.1.0
GetTokenFromFile attempts to read a token from the Vault token file as specified in the environment.
func GetTokenWithLogin ¶ added in v1.1.0
func GetTokenWithLogin(client TokenAuthHandler, ttl int) (string, error)
GetTokenWithLogin calls out to the Vault API and authenticates with userpass credentials.
Types ¶
type EnvVault ¶
type EnvVault struct {
// contains filtered or unexported fields
}
Client to replace vault paths by the secret value stored in Hashicorp Vault.
func NewDefaultVault ¶
func NewDefaultVault(config *EnvVaultConfig) EnvVault
NewDefaultVault returns a client using the default configuration.
The default Address is https://127.0.0.1:8200, but this can be overridden by setting the `VAULT_ADDR` environment variable.
func (EnvVault) DecryptAllEnv ¶
DecryptAllEnv decrypts all env vars that contain a Vault path. All values staring with `vault://` are overridden by the secret value stored in the path. For instance:
Input: ["db_url=url","db_pass=vault://secret/db_pass"] Output: ["db_url=url","db_pass=ACTUAL_SECRET_PASS"]
By default, the key used to retrieve the contents of the Secret that Vault returns is the string `VaultDefaultKey`. If you have more than one entry stored in a Secret and need to refer to them by name, you may append a query string specifying the key, such as:
vault://secret/prod-database?key=username
func (EnvVault) GetAWSCredsLease ¶ added in v1.4.0
func (v EnvVault) GetAWSCredsLease(role string) (*VaultAWSCredsLease, error)
GetAWSCredsLease calls the Vault API and asks for AWS creds for a particular role, returning a string slice of vars of the form "VAR=value" and/or an error if needed
func (EnvVault) MaybeRevokeToken ¶ added in v1.5.0
MaybeRevokeToken will be called on shutdown, and *if* we cached a parent token that was specific to this service, then we will expire it. If we are using the shared token, we will not expire it.
func (EnvVault) ReadSecretValue ¶
ReadSecretValue returns the secret value of a Vault path.
func (EnvVault) RenewAWSCredsLease ¶ added in v1.4.0
func (v EnvVault) RenewAWSCredsLease(awsCredsLease *VaultAWSCredsLease, ttl int) (*VaultAWSCredsLease, error)
RenewAWSCredsLease will renew the lease we already have on Vault, using the new TTL. It can't return a fully populated lease but returns the values that have possibly changed.
func (EnvVault) RevokeAWSCredsLease ¶ added in v1.4.0
RevokeAWSCreds calls Vault and revokes an existing lease on AWS credentials
type EnvVaultConfig ¶ added in v1.5.2
type EnvVaultConfig struct { // AWS Role options AWSRole string `envconfig:"AWS_ROLE"` AWSRoleTTL time.Duration `envconfig:"AWS_ROLE_TTL"` AWSRoleMaxTTL time.Duration `envconfig:"AWS_ROLE_MAX_TTL"` }
An EnvVaultConfig is passed in to configure our client behavior. Keys must match the top level config because we copy the struct with reflection.
type TokenAuthHandler ¶ added in v1.1.0
type TokenAuthHandler interface { Validate(token string) (*api.Secret, error) Login(username string, password string, options map[string]interface{}) (string, error) Renew(token string, ttl int) error SetToken(token string) }
Wrapper for parts of the Hashicorp Vault API we have to do more work with before calling. Covers over some parts of the API that are hard to mock.
type Vault ¶ added in v1.4.0
type Vault interface { DecryptAllEnv([]string) ([]string, error) GetAWSCredsLease(role string) (*VaultAWSCredsLease, error) RevokeAWSCredsLease(leaseID, role string) error RenewAWSCredsLease(awsCredsLease *VaultAWSCredsLease, ttl int) (*VaultAWSCredsLease, error) MaybeRevokeToken() error }
The Vault interface represents a client that talks to Hashicorp Vault and does some lower level work on our behalf
type VaultAPI ¶
type VaultAPI interface { Address() string NewRequest(method, path string) *api.Request RawRequest(r *api.Request) (*api.Response, error) }
Our own narrowly-scoped interface for Hashicorp Vault Client
type VaultAWSCredsLease ¶ added in v1.4.0
type VaultAWSCredsLease struct { Vars []string LeaseExpiryTime time.Time LeaseID string Role string }
A VaultAWSCredsLease is returned from GetAWSCredsLease
type VaultAWSCredsResponse ¶ added in v1.4.0
type VaultAWSCredsResponse struct { RequestID string `json:"request_id"` Data struct { SecretKey string `json:"secret_key"` AccessKey string `json:"access_key"` SecurityToken interface{} `json:"security_token"` } `json:"data"` LeaseID string `json:"lease_id"` Warnings interface{} `json:"warnings"` LeaseDuration int `json:"lease_duration"` Renewable bool `json:"renewable"` Auth interface{} `json:"auth"` WrapInfo interface{} `json:"wrap_info"` }
A VaultAWSCredsResponse represents a response from the Vault API itself containing the AWS keys and tokens, etc.