vaultauth

Documentation

Overview

Package vaultauth provides an interface to a few custom Vault auth methods for use with github.com/helmwave/go-fsimpl/vaultfs, but which can also be used directly with a *github.com/hashicorp/vault/api.Client.

See also these auth methods provided with the Vault API:

• github.com/hashicorp/vault/api/auth/approle
• github.com/hashicorp/vault/api/auth/aws
• github.com/hashicorp/vault/api/auth/azure
• github.com/hashicorp/vault/api/auth/gcp
• github.com/hashicorp/vault/api/auth/kubernetes
• github.com/hashicorp/vault/api/auth/ldap
• github.com/hashicorp/vault/api/auth/userpass

Index

• func EnvAuthMethod() api.AuthMethod
• func NewGitHubAuth(token *GitHubToken, opts ...GitHubLoginOption) (api.AuthMethod, error)
• func NewTokenAuth(token string) api.AuthMethod
• func WithAuthMethod(auth api.AuthMethod, fsys fs.FS) fs.FS
• type GitHubLoginOption
  • func WithGitHubMountPath(mountPath string) GitHubLoginOption
• type GitHubToken

Functions

func EnvAuthMethod

func EnvAuthMethod() api.AuthMethod

EnvAuthMethod configures the auth method based on environment variables. It will attempt to authenticate with the following four methods, in order of precedence:

approle

The github.com/hashicorp/vault/api/auth/approle.NewAppRoleAuth is called, using the roleID from $VAULT_ROLE_ID and the secretID from $VAULT_SECRET_ID. The default mount path can be overridden with $VAULT_AUTH_APPROLE_MOUNT.

github

The NewGitHubAuth is called, using the token from $VAULT_AUTH_GITHUB_TOKEN. The default mount path can be overridden with $VAULT_AUTH_GITHUB_MOUNT.

userpass

The github.com/hashicorp/vault/api/auth/userpass.NewUserpassAuth is called, using the username from $VAULT_AUTH_USERNAME and the password from $VAULT_AUTH_PASSWORD. The default mount path can be overridden with $VAULT_AUTH_USERPASS_MOUNT.

token

The NewTokenAuth is called, using the token from $VAULT_TOKEN, or the token contained in $HOME/.vault-token.

Note that this auth method is provided as a convenience, and is not intended to be heavily depended upon. It is recommended that you use the auth methods directly, and configure them with the appropriate options.

func NewGitHubAuth

func NewGitHubAuth(token *GitHubToken, opts ...GitHubLoginOption) (api.AuthMethod, error)

NewGitHubAuth authenticates to Vault with the GitHub auth method.

Use WithGitHubMountPath to specify the mount path for the GitHub auth method. If not specified, the default is "github".

See also https://www.vaultproject.io/docs/auth/github

func NewTokenAuth

func NewTokenAuth(token string) api.AuthMethod

NewTokenAuth authenticates with the given token, or if none is provided, attempts to read from the $VAULT_TOKEN environment variable, or the $HOME/.vault-token file.

When using this method, the token is not managed by vaultfs, and will not be revoked when files are closed. It is the responsibility of the caller to manage the token.

See also https://www.vaultproject.io/docs/auth/token

func WithAuthMethod

func WithAuthMethod(auth api.AuthMethod, fsys fs.FS) fs.FS

WithAuthMethod configures the given FS to authenticate with auth, if the filesystem supports it.

Note that this is not required if $VAULT_TOKEN is set.

Types

type GitHubLoginOption

type GitHubLoginOption func(a *gitHubAuthMethod) error

func WithGitHubMountPath

func WithGitHubMountPath(mountPath string) GitHubLoginOption

type GitHubToken

type GitHubToken struct {
	FromFile   string
	FromString string
	FromEnv    string
}

GitHubToken is a struct that allows you to specify where your application is storing the token required for login to the GitHub auth method.