vaultconfigsource

package
v0.81.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jul 12, 2023 License: Apache-2.0 Imports: 14 Imported by: 0

README

Vault Config Source (Alpha)

Use the Vault config source to retrieve data from Vault and inject it into your collector configuration. It supports:

Configuration

Under the config_sources: use vault: or vault/<name>: to create a Vault config source. The following parameters are available to customize Vault config sources:

config_sources:
  vault:
    # endpoint is the Vault server address. It is equivalent to the Vault tool
    # environment variable VAULT_ADDR.
    endpoint: http://localhost:8200
    # path is the Vault path to the secret location.
    path: secret/data/kv
    # poll_interval is used only for non-dynamic V2 K/V secret stores. It is
    # the interval in which the config source will check for changes on the
    # data on the given Vault path. Defaults to 1 minute if not specified.
    poll_interval: 90s
    # auth is a section used to indicate the authentication method to be used.
    # Exactly one method must be specified, it must be one of the following:
    # "token", "iam", or "gcp".
    auth:
      # token is used to access the Vault server. It is equivalent to the Vault tool
      # environment variable VAULT_TOKEN.
      token: some_toke_value
      # iam is used on AWS deployments to generate the required Vault token.
      # For details about each of the settings below, see
      # https://github.com/hashicorp/vault/blob/v1.1.0/builtin/credential/aws/cli.go#L148
      iam:
        aws_access_key_id: key_id
        aws_secret_access_key: access_key
        aws_security_token: security_token
        header_value: header_value
        mount: aws
        role: role
      # gcp is used on GCP deployments to generate the required Vault token.
      # For details about each of the settings below, see
      # https://github.com/hashicorp/vault-plugin-auth-gcp/blob/e1f6784b379d277038ca0661606aa8d23791e392/plugin/cli.go#L138
      gcp:
        role: role
        mount: gcp
        credentials: json_string # This setting is not recommended.
        jwt_ext: 10
        service_account: some_account
        project: project_id

If multiple paths are needed create different instances of the config source, example:

config_sources:
    # Assuming that the environment variables VAULT_ADDR and VAULT_TOKEN are the defined
    # and the different secrets are on the same server but at different paths.
    vault/kv:
      endpoint: $VAULT_ADDR
      path: secret/data/kv
      auth:
        token: $VAULT_TOKEN
    vault/db:
      endpoint: $VAULT_ADDR
      path: database/creds/collector_role
      auth:
        token: $VAULT_TOKEN

# Both Vault config sources can be used via their full name. Hypothetical example:
components:
  component_using_vault_kv:
    # Example showing K/V V2, see note below about the '.' usage.
    username: $vault/kv:data.user
    password: $vault/kv:data.password

  component_using_vault_db:
    username: $vault/db:username
    password: $vault/db:password

Note: When using the Key/Value V2 secret engine, all data will be nested under a separate data map within the secret, e.g. data and metadata, to access specific keys specify the "map" and the "key" using a . as separator, eg: data.username.

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func NewFactory

func NewFactory() configsource.Factory

NewFactory creates a factory for Vault ConfigSource objects.

Types

type Authentication

type Authentication struct {
	// Token is the token to be used to access the Vault server, typically is set
	// via the VAULT_TOKEN environment variable for the Vault CLI.
	Token *string `mapstructure:"token"`
	// IAMAuthentication holds the authentication options for AWS IAM. The options
	// are the same as the vault CLI tool, see https://github.com/hashicorp/vault/blob/v1.1.0/builtin/credential/aws/cli.go#L148.
	IAMAuthentication *IAMAuthentication `mapstructure:"iam"`
	// GCPAuthentication holds the authentication options for GCP. The options
	// are the same as the vault CLI tool, see https://github.com/hashicorp/vault-plugin-auth-gcp/blob/e1f6784b379d277038ca0661606aa8d23791e392/plugin/cli.go#L120.
	GCPAuthentication *GCPAuthentication `mapstructure:"gcp"`
}

Authentication holds the authentication configuration for Vault config source objects.

type Config

type Config struct {
	configsource.SourceSettings `mapstructure:",squash"` // squash ensures fields are correctly decoded in embedded struct
	// Authentication defines the authentication method to be used.
	Authentication *Authentication `mapstructure:"auth"`
	// Endpoint is the address of the Vault server, typically it is set via the
	// VAULT_ADDR environment variable for the Vault CLI.
	Endpoint string `mapstructure:"endpoint"`
	// Path is the Vault path where the secret to be retrieved is located.
	Path string `mapstructure:"path"`
	// PollInterval is the interval in which the config source will check for
	// changes on the data on the given Vault path. This is only used for
	// non-dynamic secret stores. Defaults to 1 minute if not specified.
	PollInterval time.Duration `mapstructure:"poll_interval"`
}

Config holds the configuration for the creation of Vault config source objects.

type GCPAuthentication

type GCPAuthentication struct {
	// Role is the name of the role you're requesting a token for. It is required.
	Role *string `mapstructure:"role"`
	// Mount is the path where the GCP credential method is mounted.
	// This is usually provided via the -path flag in the "vault login"
	// command, but it can be specified here as well. If specified here, it
	// takes precedence over the value for -path.  Defaults to `gcp`.
	Mount *string `mapstructure:"mount"`
	// Credentials can be used to specify GCP credentials in JSON string format (not recommended).
	Credentials *string `mapstructure:"credentials"`
	// JWTExp is the time until the generated JWT expires. The given GCP role will
	// have a max_jwt_exp field, the time in minutes that all valid
	// authentication JWTs must expire within (from time of authentication).
	// Defaults to 15 minutes, the default max_jwt_exp for a role. Must be less
	// than an hour.
	JWTExpiration *time.Duration `mapstructure:"jwt_exp"`
	// ServiceAccount used to generate a JWT for. Defaults to credentials
	// "client_email" if "credentials" specified and this value is not.
	ServiceAccount *string `mapstructure:"service_account"`
	// Project for the service account who will be authenticating to Vault.
	// Defaults to the credential's "project_id" (if credentials are specified)."
	Project *string `mapstructure:"project"`
}

GCPAuthentication holds the authentication options for GCP. The options are the same as the vault CLI tool, see https://github.com/hashicorp/vault-plugin-auth-gcp/blob/e1f6784b379d277038ca0661606aa8d23791e392/plugin/cli.go#L120.

func (*GCPAuthentication) Token

func (gcp *GCPAuthentication) Token(client *api.Client) (string, error)

type IAMAuthentication

type IAMAuthentication struct {
	// AWSAccessKeyID is the AWS access key ID.
	AWSAccessKeyID *string `mapstructure:"aws_access_key_id"`
	// AWSSecretAccessKey it the AWS secret access key.
	AWSSecretAccessKey *string `mapstructure:"aws_secret_access_key"`
	// AWSSecurityToken is the AWS security token for temporary credentials.
	AWSSecurityToken *string `mapstructure:"aws_security_token"`
	// HeaderValue for the x-vault-aws-iam-server-id header in requests.
	HeaderValue *string `mapstructure:"header_value"`
	// Mount is the path where the AWS credential method is mounted. The default value is "aws".
	Mount *string `mapstructure:"mount"`
	// Role is the name of the Vault role to request a token against.
	Role *string `mapstructure:"role"`
}

IAMAuthentication holds the authentication options for AWS IAM. The options are the same as the vault CLI tool, see https://github.com/hashicorp/vault/blob/v1.1.0/builtin/credential/aws/cli.go#L148.

func (*IAMAuthentication) Token

func (iam *IAMAuthentication) Token(client *api.Client) (string, error)

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL