vault

Documentation

Index

• Constants
• type EnvVault
  • func NewDefaultVault() EnvVault
  • func (v EnvVault) DecryptAllEnv(envs []string) ([]string, error)
  • func (v EnvVault) ReadSecretValue(vaultURL string) (string, error)
• type VaultAPI

Constants

const VaultURLScheme = "vault"

Types

type EnvVault

type EnvVault struct {
	// contains filtered or unexported fields
}

Client to replace vault paths by the secret value stored in Hashicorp Vault.

func NewDefaultVault

func NewDefaultVault() EnvVault

NewDefaultVault returns a client using the default configuration.

The default Address is https://127.0.0.1:8200, but this can be overridden by setting the `VAULT_ADDR` environment variable.

func (EnvVault) DecryptAllEnv

func (v EnvVault) DecryptAllEnv(envs []string) ([]string, error)

DecryptAllEnv decrypts all env vars that contain a Vault path. All values staring with `vault://` are overridden by the secret value stored in the path. For instance:

 Input: ["db_url=url","db_pass=vault://secret/db_pass"]
Output: ["db_url=url","db_pass=ACTUAL_SECRET_PASS"]

By default, the key used to retrieve the contents of the Secret that Vault returns is the string "value". If you have more than one entry stored in a Secret and need to refer to them by name, you may append a query string specifying the key, such as:

vault://secret/prod-database?key=username

func (EnvVault) ReadSecretValue

func (v EnvVault) ReadSecretValue(vaultURL string) (string, error)

ReadSecretValue returns the secret value of a Vault path.

type VaultAPI

type VaultAPI interface {
	Address() string
	NewRequest(method, path string) *api.Request
	RawRequest(r *api.Request) (*api.Response, error)
}

Our own narrowly-scoped interface for Hashicorp Vault Client