vault

command module
v1.1.0-beta2 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 5, 2019 License: MPL-2.0 Imports: 2 Imported by: 0

README

Vault Build Status vault enterprise

Please note: We take Vault's security and our users' trust very seriously. If you believe you have found a security issue in Vault, please responsibly disclose by contacting us at security@hashicorp.com.

Vault Logo

Vault is a tool for securely accessing secrets. A secret is anything that you want to tightly control access to, such as API keys, passwords, certificates, and more. Vault provides a unified interface to any secret, while providing tight access control and recording a detailed audit log.

A modern system requires access to a multitude of secrets: database credentials, API keys for external services, credentials for service-oriented architecture communication, etc. Understanding who is accessing what secrets is already very difficult and platform-specific. Adding on key rolling, secure storage, and detailed audit logs is almost impossible without a custom solution. This is where Vault steps in.

The key features of Vault are:

  • Secure Secret Storage: Arbitrary key/value secrets can be stored in Vault. Vault encrypts these secrets prior to writing them to persistent storage, so gaining access to the raw storage isn't enough to access your secrets. Vault can write to disk, Consul, and more.

  • Dynamic Secrets: Vault can generate secrets on-demand for some systems, such as AWS or SQL databases. For example, when an application needs to access an S3 bucket, it asks Vault for credentials, and Vault will generate an AWS keypair with valid permissions on demand. After creating these dynamic secrets, Vault will also automatically revoke them after the lease is up.

  • Data Encryption: Vault can encrypt and decrypt data without storing it. This allows security teams to define encryption parameters and developers to store encrypted data in a location such as SQL without having to design their own encryption methods.

  • Leasing and Renewal: All secrets in Vault have a lease associated with it. At the end of the lease, Vault will automatically revoke that secret. Clients are able to renew leases via built-in renew APIs.

  • Revocation: Vault has built-in support for secret revocation. Vault can revoke not only single secrets, but a tree of secrets, for example all secrets read by a specific user, or all secrets of a particular type. Revocation assists in key rolling as well as locking down systems in the case of an intrusion.

For more information, see the getting started guide on Hashicorp's learning platform.

Getting Started & Documentation

All documentation is available on the Vault website.

Developing Vault

If you wish to work on Vault itself or any of its built-in systems, you'll first need Go installed on your machine (version 1.11+ is required).

For local dev first make sure Go is properly installed, including setting up a GOPATH. Next, clone this repository into $GOPATH/src/github.com/hashicorp/vault. You can then download any required build tools by bootstrapping your environment:

$ make bootstrap
...

To compile a development version of Vault, run make or make dev. This will put the Vault binary in the bin and $GOPATH/bin folders:

$ make dev
...
$ bin/vault
...

To compile a development version of Vault with the UI, run make static-dist dev-ui. This will put the Vault binary in the bin and $GOPATH/bin folders:

$ make static-dist dev-ui
...
$ bin/vault
...

To run tests, type make test. Note: this requires Docker to be installed. If this exits with exit status 0, then everything is working!

$ make test
...

If you're developing a specific package, you can run tests for just that package by specifying the TEST variable. For example below, only vault package tests will be run.

$ make test TEST=./vault
...
Acceptance Tests

Vault has comprehensive acceptance tests covering most of the features of the secret and auth methods.

If you're working on a feature of a secret or auth method and want to verify it is functioning (and also hasn't broken anything else), we recommend running the acceptance tests.

Warning: The acceptance tests create/destroy/modify real resources, which may incur real costs in some cases. In the presence of a bug, it is technically possible that broken backends could leave dangling data behind. Therefore, please run the acceptance tests at your own risk. At the very least, we recommend running them in their own private account for whatever backend you're testing.

To run the acceptance tests, invoke make testacc:

$ make testacc TEST=./builtin/logical/consul
...

The TEST variable is required, and you should specify the folder where the backend is. The TESTARGS variable is recommended to filter down to a specific resource to test, since testing all of them at once can sometimes take a very long time.

Acceptance tests typically require other environment variables to be set for things such as access keys. The test itself should error early and tell you what to set, so it is not documented here.

For more information on Vault Enterprise features, visit the Vault Enterprise site.

Documentation

The Go Gopher

There is no documentation for this package.

Source Files

View all Source files

Directories

Path Synopsis
api
auth/approle Module
auth/aws Module
auth/azure Module
auth/gcp Module
auth/kubernetes Module
auth/ldap Module
auth/userpass Module
builtin
audit/file
audit/socket
audit/syslog
credential/app-id
credential/app-id/cmd/app-id
credential/approle
credential/approle/cmd/approle
credential/aws
credential/aws/cmd/aws
credential/cert
credential/cert/cmd/cert
credential/github
credential/github/cmd/github
credential/ldap
credential/ldap/cmd/ldap
credential/okta
credential/okta/cmd/okta
credential/radius
credential/radius/cmd/radius
credential/token
credential/userpass
credential/userpass/cmd/userpass
logical/aws
logical/aws/cmd/aws
logical/cassandra
logical/cassandra/cmd/cassandra
logical/consul
logical/consul/cmd/consul
logical/database
logical/database/dbplugin
logical/mongodb
logical/mongodb/cmd/mongodb
logical/mssql
logical/mssql/cmd/mssql
logical/mysql
logical/mysql/cmd/mysql
logical/nomad
logical/nomad/cmd/nomad
logical/pki
logical/pki/cmd/pki
logical/postgresql
logical/postgresql/cmd/postgresql
logical/rabbitmq
logical/rabbitmq/cmd/rabbitmq
logical/ssh
logical/ssh/cmd/ssh
logical/totp
logical/totp/cmd/totp
logical/transit
logical/transit/cmd/transit
plugin
agent
agent/auth
agent/auth/alicloud
agent/auth/approle
agent/auth/aws
agent/auth/azure
agent/auth/gcp
agent/auth/jwt
agent/auth/kubernetes
agent/cache
agent/cache/cachememdb
agent/config
agent/sink
agent/sink/file
agent/sink/inmem
agent/sink/mock
config
server
server/seal
token
helper
awsutil
base62
Package base62 provides utilities for working with base62 strings.
 Package base62 provides utilities for working with base62 strings.
builtinplugins
certutil
Package certutil contains helper functions that are mostly used with the PKI backend but can be generally useful.
 Package certutil contains helper functions that are mostly used with the PKI backend but can be generally useful.
cidrutil
compressutil
consts
cryptoutil
dbtxn
dhutil
errutil
flag-kv
flag-slice
forwarding
gated-writer
hclutil
identity
identity/mfa
jsonutil
kdf
This package is used to implement Key Derivation Functions (KDF) based on the recommendations of NIST SP 800-108.
 This package is used to implement Key Derivation Functions (KDF) based on the recommendations of NIST SP 800-108.
keysutil
kv-builder
ldaputil
license
locksutil
logging
metricsutil
mfa
Package mfa provides wrappers to add multi-factor authentication to any auth method.
 Package mfa provides wrappers to add multi-factor authentication to any auth method.
mfa/duo
Package duo provides a Duo MFA handler to authenticate users with Duo.
 Package duo provides a Duo MFA handler to authenticate users with Duo.
mlock
namespace
parseutil
password
password is a package for reading a password securely from a terminal.
 password is a package for reading a password securely from a terminal.
pathmanager
pgpkeys
pluginutil
policies
policyutil
proxyutil
reload
salt
storagepacker
strutil
testhelpers
tlsutil
useragent
wrapping
xor
framework
plugin
plugin/mock
plugin/mock/mock-plugin
plugin/pb
testing
alicloudoss
azure
cassandra
cockroachdb
consul
couchdb
dynamodb
etcd
file
foundationdb
gcs
inmem
manta
mssql
mysql
postgresql
s3
spanner
swift
zookeeper
database/cassandra
database/cassandra/cassandra-database-plugin
database/hana
database/hana/hana-database-plugin
database/influxdb
database/influxdb/influxdb-database-plugin
database/mongodb
database/mongodb/mongodb-database-plugin
database/mssql
database/mssql/mssql-database-plugin
database/mysql
database/mysql/mysql-database-plugin
database/mysql/mysql-legacy-database-plugin
database/postgresql
database/postgresql/postgresql-database-plugin
helper/database/connutil
helper/database/credsutil
helper/database/dbutil
sdk module
replication
seal
seal/alicloudkms
seal/awskms
seal/azurekeyvault
seal/gcpckms
seal/transit
hcp_link/proto Module

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.