README
¶
Vault Config Source (Alpha)
Use the Vault config source to retrieve data from Vault and inject it into your collector configuration. It supports:
Configuration
Under the config_sources: use vault: or vault/<name>: to create a Vault config
source. The following parameters are available to customize Vault config sources:
config_sources:
vault:
# endpoint is the Vault server address. It is equivalent to the Vault tool
# environment variable VAULT_ADDR.
endpoint: http://localhost:8200
# path is the Vault path to the secret location.
path: secret/data/kv
# poll_interval is used only for non-dynamic V2 K/V secret stores. It is
# the interval in which the config source will check for changes on the
# data on the given Vault path. Defaults to 1 minute if not specified.
poll_interval: 90s
# auth is a section used to indicate the authentication method to be used.
# Exactly one method must be specified, it must be one of the following:
# "token", "iam", or "gcp".
auth:
# token is used to access the Vault server. It is equivalent to the Vault tool
# environment variable VAULT_TOKEN.
token: some_toke_value
# iam is used on AWS deployments to generate the required Vault token.
# For details about each of the settings below, see
# https://github.com/hashicorp/vault/blob/v1.1.0/builtin/credential/aws/cli.go#L148
iam:
aws_access_key_id: key_id
aws_secret_access_key: access_key
aws_security_token: security_token
header_value: header_value
mount: aws
role: role
# gcp is used on GCP deployments to generate the required Vault token.
# For details about each of the settings below, see
# https://github.com/hashicorp/vault-plugin-auth-gcp/blob/e1f6784b379d277038ca0661606aa8d23791e392/plugin/cli.go#L138
gcp:
role: role
mount: gcp
credentials: json_string # This setting is not recommended.
jwp_ext: 10m
service_account: some_account
project: project_id
If multiple paths are needed create different instances of the config source, example:
config_sources:
# Assuming that the environment variables VAULT_ADDR and VAULT_TOKEN are the defined
# and the different secrets are on the same server but at different paths.
vault/kv:
endpoint: $VAULT_ADDR
path: secret/data/kv
auth:
token: $VAULT_TOKEN
vault/db:
endpoint: $VAULT_ADDR
path: database/creds/collector_role
auth:
token: $VAULT_TOKEN
# Both Vault config sources can be used via their full name. Hypothetical example:
components:
component_using_vault_kv:
# Example showing K/V V2, see note below about the '.' usage.
username: $vault/kv:data.user
password: $vault/kv:data.password
component_using_vault_db:
username: $vault/db:username
password: $vault/db:password
Note: When using the Key/Value V2 secret engine, all data will be nested under a
separate data map within the secret, e.g. data and metadata, to access specific
keys specify the "map" and the "key" using a . as separator, eg: data.username.
Documentation
¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func NewFactory ¶
func NewFactory() configprovider.Factory
NewFactory creates a factory for Vault ConfigSource objects.
Types ¶
type Authentication ¶
type Authentication struct {
// Token is the token to be used to access the Vault server, typically is set
// via the VAULT_TOKEN environment variable for the Vault CLI.
Token *string `mapstructure:"token"`
// IAMAuthentication holds the authentication options for AWS IAM. The options
// are the same as the vault CLI tool, see https://github.com/hashicorp/vault/blob/v1.1.0/builtin/credential/aws/cli.go#L148.
IAMAuthentication *IAMAuthentication `mapstructure:"iam"`
// GCPAuthentication holds the authentication options for GCP. The options
// are the same as the vault CLI tool, see https://github.com/hashicorp/vault-plugin-auth-gcp/blob/e1f6784b379d277038ca0661606aa8d23791e392/plugin/cli.go#L120.
GCPAuthentication *GCPAuthentication `mapstructure:"gcp"`
}
Authentication holds the authentication configuration for Vault config source objects.
type Config ¶
type Config struct {
*configprovider.Settings
// Authentication defines the authentication method to be used.
Authentication *Authentication `mapstructure:"auth"`
// Endpoint is the address of the Vault server, typically it is set via the
// VAULT_ADDR environment variable for the Vault CLI.
Endpoint string `mapstructure:"endpoint"`
// Path is the Vault path where the secret to be retrieved is located.
Path string `mapstructure:"path"`
// PollInterval is the interval in which the config source will check for
// changes on the data on the given Vault path. This is only used for
// non-dynamic secret stores. Defaults to 1 minute if not specified.
PollInterval time.Duration `mapstructure:"poll_interval"`
}
Config holds the configuration for the creation of Vault config source objects.
type GCPAuthentication ¶
type GCPAuthentication struct {
// Role is the name of the role you're requesting a token for. It is required.
Role *string `mapstructure:"role"`
// Mount is the path where the GCP credential method is mounted.
// This is usually provided via the -path flag in the "vault login"
// command, but it can be specified here as well. If specified here, it
// takes precedence over the value for -path. Defaults to `gcp`.
Mount *string `mapstructure:"mount"`
// Credentials can be used to specify GCP credentials in JSON string format (not recommended).
Credentials *string `mapstructure:"credentials"`
// JWTExp is the time until the generated JWT expires. The given GCP role will
// have a max_jwt_exp field, the time in minutes that all valid
// authentication JWTs must expire within (from time of authentication).
// Defaults to 15 minutes, the default max_jwt_exp for a role. Must be less
// than an hour.
JWTExpiration *time.Duration `mapstructure:"jwt_exp"`
// ServiceAccount used to generate a JWT for. Defaults to credentials
// "client_email" if "credentials" specified and this value is not.
ServiceAccount *string `mapstructure:"service_account"`
// Project for the service account who will be authenticating to Vault.
// Defaults to the credential's "project_id" (if credentials are specified)."
Project *string `mapstructure:"project"`
}
GCPAuthentication holds the authentication options for GCP. The options are the same as the vault CLI tool, see https://github.com/hashicorp/vault-plugin-auth-gcp/blob/e1f6784b379d277038ca0661606aa8d23791e392/plugin/cli.go#L120.
type IAMAuthentication ¶
type IAMAuthentication struct {
// AWSAccessKeyID is the AWS access key ID.
AWSAccessKeyID *string `mapstructure:"aws_access_key_id"`
// AWSSecretAccessKey it the AWS secret access key.
AWSSecretAccessKey *string `mapstructure:"aws_secret_access_key"`
// AWSSecurityToken is the AWS security token for temporary credentials.
AWSSecurityToken *string `mapstructure:"aws_security_token"`
// HeaderValue for the x-vault-aws-iam-server-id header in requests.
HeaderValue *string `mapstructure:"header_value"`
// Mount is the path where the AWS credential method is mounted. This is usually provided
// via the -path flag in the "vault login" command, but it can be specified
// here as well. If specified here, it takes precedence over the value for
// -path. The default value is "aws".
Mount *string `mapstructure:"mount"`
// Role is the name of the Vault role to request a token against.
Role *string `mapstructure:"role"`
}
IAMAuthentication holds the authentication options for AWS IAM. The options are the same as the vault CLI tool, see https://github.com/hashicorp/vault/blob/v1.1.0/builtin/credential/aws/cli.go#L148.
Source Files
Click to show internal directories.
Click to hide internal directories.