├── .travis.yml ├── example-config.yaml ├── .gitignore ├── main_test.go ├── Gopkg.toml ├── Gopkg.lock ├── conf ├── config.go └── config_test.go ├── main.go ├── vault ├── vault.go └── vault_test.go ├── README.md └── LICENSE /.travis.yml: -------------------------------------------------------------------------------- 1 | language: go 2 | go: 3 | - "1.8" 4 | - "1.9" 5 | - "1.10.x" 6 | 7 | notifications: 8 | email: false 9 | 10 | script: 11 | - go test -v -race -cover ./... 12 | -------------------------------------------------------------------------------- /example-config.yaml: -------------------------------------------------------------------------------- 1 | command: ["bash", "-c", "env"] 2 | host: http://vault.rocks:8200 3 | roleId: myAppRole 4 | secretId: mySecretId 5 | secretIdEnv: SECRET_ID 6 | secretMount: /secret/service/awesomeApp/ 7 | secrets: 8 | apnConfig: 9 | key: APN_KEY 10 | keyId: APN_KEYID 11 | teamId: APN_TEAMID -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # Created by https://www.gitignore.io/api/go,macos 2 | .idea/ 3 | vendor/ 4 | 5 | ### Go ### 6 | # Binaries for programs and plugins 7 | *.exe 8 | *.exe~ 9 | *.dll 10 | *.so 11 | *.dylib 12 | 13 | # Test binary, build with `go test -c` 14 | *.test 15 | 16 | # Output of the go coverage tool, specifically when used with LiteIDE 17 | *.out 18 | 19 | ### macOS ### 20 | *.DS_Store 21 | .AppleDouble 22 | .LSOverride 23 | 24 | # Icon must end with two \r 25 | Icon 26 | 27 | # Thumbnails 28 | ._* 29 | 30 | # Files that might appear in the root of a volume 31 | .DocumentRevisions-V100 32 | .fseventsd 33 | .Spotlight-V100 34 | .TemporaryItems 35 | .Trashes 36 | .VolumeIcon.icns 37 | .com.apple.timemachine.donotpresent 38 | 39 | # Directories potentially created on remote AFP share 40 | .AppleDB 41 | .AppleDesktop 42 | Network Trash Folder 43 | Temporary Items 44 | .apdisk 45 | 46 | 47 | # End of https://www.gitignore.io/api/go,macos 48 | -------------------------------------------------------------------------------- /main_test.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "github.com/cosmonawt/vaulter-white/conf" 5 | "github.com/cosmonawt/vaulter-white/vault" 6 | "github.com/stretchr/testify/assert" 7 | "os" 8 | "testing" 9 | ) 10 | 11 | func TestPrepareEnvironment(t *testing.T) { 12 | config := conf.Config{ 13 | SecretPaths: map[string]map[string]string{ 14 | "testSecret1": { 15 | "testKey1": "TEST_VAL1", 16 | }, 17 | }, 18 | } 19 | 20 | secrets := map[string]vault.SecretData{ 21 | "testSecret1": { 22 | "testKey1": "TestValue1", 23 | "testKey2": "TestValue2", 24 | }, 25 | } 26 | 27 | os.Setenv("TESTENV", "TESTVAL") 28 | 29 | testEnv := PrepareEnvironment(secrets, config) 30 | 31 | assert.Contains(t, testEnv, "TEST_VAL1=TestValue1", "Secrets should be saved according to config") 32 | assert.Contains(t, testEnv, "TESTSECRET1_TESTKEY2=TestValue2", "Secrets should be saved if config is absent") 33 | assert.Contains(t, testEnv, "TESTENV=TESTVAL", "Existing environment variables should be included") 34 | } 35 | -------------------------------------------------------------------------------- /Gopkg.toml: -------------------------------------------------------------------------------- 1 | # Gopkg.toml example 2 | # 3 | # Refer to https://github.com/golang/dep/blob/master/docs/Gopkg.toml.md 4 | # for detailed Gopkg.toml documentation. 5 | # 6 | # required = ["github.com/user/thing/cmd/thing"] 7 | # ignored = ["github.com/user/project/pkgX", "bitbucket.org/user/project/pkgA/pkgY"] 8 | # 9 | # [[constraint]] 10 | # name = "github.com/user/project" 11 | # version = "1.0.0" 12 | # 13 | # [[constraint]] 14 | # name = "github.com/user/project2" 15 | # branch = "dev" 16 | # source = "github.com/myfork/project2" 17 | # 18 | # [[override]] 19 | # name = "github.com/x/y" 20 | # version = "2.4.0" 21 | # 22 | # [prune] 23 | # non-go = false 24 | # go-tests = true 25 | # unused-packages = true 26 | 27 | 28 | [[constraint]] 29 | name = "github.com/stretchr/testify" 30 | version = "1.2.1" 31 | 32 | [[constraint]] 33 | branch = "master" 34 | name = "golang.org/x/sys" 35 | 36 | [[constraint]] 37 | name = "gopkg.in/yaml.v2" 38 | version = "2.2.1" 39 | 40 | [prune] 41 | go-tests = true 42 | unused-packages = true 43 | -------------------------------------------------------------------------------- /Gopkg.lock: -------------------------------------------------------------------------------- 1 | # This file is autogenerated, do not edit; changes may be undone by the next 'dep ensure'. 2 | 3 | 4 | [[projects]] 5 | name = "github.com/davecgh/go-spew" 6 | packages = ["spew"] 7 | revision = "346938d642f2ec3594ed81d874461961cd0faa76" 8 | version = "v1.1.0" 9 | 10 | [[projects]] 11 | name = "github.com/pmezard/go-difflib" 12 | packages = ["difflib"] 13 | revision = "792786c7400a136282c1664665ae0a8db921c6c2" 14 | version = "v1.0.0" 15 | 16 | [[projects]] 17 | name = "github.com/stretchr/testify" 18 | packages = ["assert"] 19 | revision = "12b6f73e6084dad08a7c6e575284b177ecafbc71" 20 | version = "v1.2.1" 21 | 22 | [[projects]] 23 | branch = "master" 24 | name = "golang.org/x/sys" 25 | packages = ["unix"] 26 | revision = "b126b21c05a91c856b027c16779c12e3bf236954" 27 | 28 | [[projects]] 29 | name = "gopkg.in/yaml.v2" 30 | packages = ["."] 31 | revision = "5420a8b6744d3b0345ab293f6fcba19c978f1183" 32 | version = "v2.2.1" 33 | 34 | [solve-meta] 35 | analyzer-name = "dep" 36 | analyzer-version = 1 37 | inputs-digest = "3de7f6ebe8e269dec0b31e712375c6c7a87e4b93166c0cbb3f84402c8dc754a3" 38 | solver-name = "gps-cdcl" 39 | solver-version = 1 40 | -------------------------------------------------------------------------------- /conf/config.go: -------------------------------------------------------------------------------- 1 | package conf 2 | 3 | import ( 4 | "gopkg.in/yaml.v2" 5 | "io" 6 | "os" 7 | ) 8 | 9 | type Config struct { 10 | Command []string `yamle:"command"` 11 | Host string `yaml:"host"` 12 | HostEnv string `yaml:"hostEnv"` 13 | Token string `yaml:"token"` 14 | RoleID string `yaml:"roleId"` 15 | RoleIDEnv string `yaml:"roleIdEnv"` 16 | SecretId string `yaml:"secretId"` 17 | SecretIdEnv string `yaml:"secretIdEnv"` 18 | SecretMount string `yaml:"secretMount"` 19 | SecretPaths map[string]map[string]string `yaml:"secrets"` 20 | } 21 | 22 | func LoadConfig(f io.Reader) (c Config, err error) { 23 | d := yaml.NewDecoder(f) 24 | config := Config{} 25 | 26 | err = d.Decode(&config) 27 | if err != nil { 28 | return config, err 29 | } 30 | 31 | if config.Host == "" { 32 | config.Host = safeLookupEnv(config.HostEnv, "VAULT_HOST") 33 | } 34 | 35 | if config.RoleID == "" { 36 | config.RoleID = safeLookupEnv(config.RoleIDEnv, "VAULT_ROLE_ID") 37 | } 38 | 39 | if config.SecretId == "" { 40 | config.SecretId = safeLookupEnv(config.SecretIdEnv, "VAULT_SECRET_ID") 41 | } 42 | 43 | return config, nil 44 | } 45 | 46 | func safeLookupEnv(env string, fallbackEnv string) string { 47 | v, ok := os.LookupEnv(env) 48 | if !ok { 49 | v = os.Getenv(fallbackEnv) 50 | } 51 | return v 52 | } 53 | -------------------------------------------------------------------------------- /conf/config_test.go: -------------------------------------------------------------------------------- 1 | package conf 2 | 3 | import ( 4 | "github.com/stretchr/testify/assert" 5 | "os" 6 | "strings" 7 | "testing" 8 | ) 9 | 10 | func TestLoadConfig(t *testing.T) { 11 | c := ` 12 | host: "testHost" 13 | roleId: "testRole" 14 | secretId: "testSecret"` 15 | 16 | config, err := LoadConfig(strings.NewReader(c)) 17 | assert.Nil(t, err) 18 | assert.NotNil(t, config) 19 | assert.Equal(t, "testHost", config.Host) 20 | assert.Equal(t, "testRole", config.RoleID) 21 | assert.Equal(t, "testSecret", config.SecretId) 22 | 23 | c = ` 24 | host: "testHost" 25 | some: "nonsensfield" 26 | secretId: "testSecret"` 27 | 28 | config, err = LoadConfig(strings.NewReader(c)) 29 | assert.Nil(t, err) 30 | assert.NotNil(t, config) 31 | assert.Equal(t, "testHost", config.Host) 32 | assert.Equal(t, "", config.RoleID) 33 | assert.Equal(t, "testSecret", config.SecretId) 34 | 35 | c = ` 36 | host: "testHost" 37 | some: "nonsensfield" 38 | secretIdEnv: "SECRET"` 39 | os.Setenv("SECRET", "testSecret") 40 | 41 | config, err = LoadConfig(strings.NewReader(c)) 42 | assert.Nil(t, err) 43 | assert.NotNil(t, config) 44 | assert.Equal(t, "testSecret", config.SecretId, "should read secret from 'secretIdEnv'") 45 | 46 | c = ` 47 | host: "testHost" 48 | some: "nonsensfield"` 49 | os.Setenv("VAULT_SECRET_ID", "testSecret") 50 | 51 | config, err = LoadConfig(strings.NewReader(c)) 52 | assert.Nil(t, err) 53 | assert.NotNil(t, config) 54 | assert.Equal(t, "testSecret", config.SecretId, "should read secret from 'VAULT_SECRET_ID'") 55 | 56 | c = "" 57 | config, err = LoadConfig(strings.NewReader(c)) 58 | assert.NotNil(t, err) 59 | } 60 | 61 | func TestSafeLookupEnv(t *testing.T) { 62 | os.Setenv("VAULT_HOST", "testHost") 63 | os.Setenv("VAULT_HOST_FALLBACK", "testHostFallback") 64 | 65 | env := safeLookupEnv("VAULT_HOST", "VAULT_HOST_FALLBACK") 66 | assert.Equal(t, "testHost", env, "should read primary value successfully") 67 | 68 | os.Unsetenv("VAULT_HOST") 69 | env = safeLookupEnv("VAULT_HOST", "VAULT_HOST_FALLBACK") 70 | assert.Equal(t, "testHostFallback", env, "should read fallback value successfully") 71 | } 72 | -------------------------------------------------------------------------------- /main.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "flag" 5 | "fmt" 6 | "github.com/cosmonawt/vaulter-white/conf" 7 | "github.com/cosmonawt/vaulter-white/vault" 8 | "golang.org/x/sys/unix" 9 | "log" 10 | "os" 11 | "os/exec" 12 | "strings" 13 | "sync" 14 | ) 15 | 16 | func main() { 17 | var c = flag.String("c", "vaulter-white.yaml", "Configuration file") 18 | flag.Parse() 19 | 20 | if flag.NFlag() < 1 { 21 | flag.Usage() 22 | } 23 | 24 | file, err := os.Open(*c) 25 | if err != nil { 26 | log.Fatal("could not open config: ", err) 27 | } 28 | defer file.Close() 29 | 30 | config, err := conf.LoadConfig(file) 31 | if err != nil { 32 | log.Fatal("could not load config: ", err) 33 | } 34 | 35 | command := config.Command 36 | if len(os.Args) > 3 { 37 | command = os.Args[3:] 38 | } 39 | 40 | if command == nil { 41 | log.Fatal("No Command provided. Please specify in config or provide as argument!") 42 | } 43 | 44 | vr := vault.AppRole{RoleId: config.RoleID, SecretId: config.SecretId} 45 | v := vault.Vault{Hostname: config.Host, AccessToken: config.Token, AppRole: vr, SecretMount: config.SecretMount} 46 | 47 | err = v.GetAccessToken() 48 | if err != nil { 49 | log.Fatal("authentication Error: ", err) 50 | } 51 | 52 | list, err := v.ListSecrets() 53 | if err != nil { 54 | log.Fatal("error listing secrets: ", err) 55 | } 56 | 57 | secrets := &secretList{secrets: map[string]vault.SecretData{}} 58 | 59 | for _, s := range list { 60 | secrets.w.Add(1) 61 | go func(s string) { 62 | secret, err := v.GetSecret(s) 63 | if err != nil { 64 | log.Fatal("error getting secret: ", err) 65 | } 66 | secrets.add(s, secret) 67 | secrets.w.Done() 68 | }(s) 69 | } 70 | 71 | secrets.w.Wait() 72 | 73 | environment := PrepareEnvironment(secrets.secrets, config) 74 | binary, err := exec.LookPath(command[0]) 75 | if err != nil { 76 | log.Fatal("command not found: ", err) 77 | } 78 | unix.Exec(binary, command, environment) 79 | } 80 | 81 | type secretList struct { 82 | m sync.Mutex 83 | w sync.WaitGroup 84 | secrets map[string]vault.SecretData 85 | } 86 | 87 | func (s *secretList) add(name string, secretData vault.SecretData) { 88 | s.m.Lock() 89 | defer s.m.Unlock() 90 | s.secrets[name] = secretData 91 | } 92 | 93 | func PrepareEnvironment(secrets map[string]vault.SecretData, config conf.Config) []string { 94 | environment := os.Environ() 95 | for name, secret := range secrets { 96 | for sk, sv := range secret { 97 | if cv := config.SecretPaths[name][sk]; cv != "" { 98 | e := fmt.Sprintf("%s=%s", cv, sv) 99 | environment = append(environment, e) 100 | continue 101 | } 102 | e := fmt.Sprintf("%s=%s", strings.ToUpper(fmt.Sprintf("%s_%s", name, sk)), sv) 103 | environment = append(environment, e) 104 | } 105 | } 106 | return environment 107 | } 108 | -------------------------------------------------------------------------------- /vault/vault.go: -------------------------------------------------------------------------------- 1 | package vault 2 | 3 | import ( 4 | "bytes" 5 | "encoding/json" 6 | "fmt" 7 | "net/http" 8 | ) 9 | 10 | type Vault struct { 11 | Hostname string 12 | AccessToken string 13 | AppRole AppRole 14 | SecretMount string 15 | } 16 | 17 | type AppRole struct { 18 | RoleId string `json:"role_id"` 19 | SecretId string `json:"secret_id"` 20 | } 21 | 22 | type Secret struct { 23 | RequestID string `json:"request_id"` 24 | LeaseID string `json:"lease_id"` 25 | Renewable bool `json:"renewable"` 26 | LeaseDuration int `json:"lease_duration"` 27 | Auth Auth `json:"auth"` 28 | Data map[string]json.RawMessage `json:"data"` 29 | } 30 | 31 | type Auth struct { 32 | ClientToken string `json:"client_token"` 33 | Accessor string `json:"accessor"` 34 | Policies []string `json:"policies"` 35 | } 36 | 37 | type SecretData map[string]string 38 | 39 | func (v *Vault) GetAccessToken() error { 40 | p, err := json.Marshal(v.AppRole) 41 | if err != nil { 42 | return err 43 | } 44 | 45 | r, err := v.makeRequest("POST", "/v1/auth/approle/login", string(p)) 46 | if err != nil { 47 | return err 48 | } 49 | 50 | v.AccessToken = r.Auth.ClientToken 51 | return nil 52 | } 53 | 54 | func (v Vault) GetSecret(secretName string) (secret SecretData, err error) { 55 | p := "/v1" + v.SecretMount + secretName 56 | 57 | r, err := v.makeRequest("GET", p, "") 58 | if err != nil { 59 | return nil, err 60 | } 61 | 62 | secret = make(map[string]string) 63 | for k, v := range r.Data { 64 | var s string 65 | err = json.Unmarshal(v, &s) 66 | if err != nil { 67 | secret[k] = string(v) 68 | continue 69 | } 70 | secret[k] = s 71 | } 72 | 73 | return secret, nil 74 | } 75 | 76 | func (v Vault) ListSecrets() (secrets []string, err error) { 77 | p := "/v1" + v.SecretMount 78 | 79 | r, err := v.makeRequest("LIST", p, "") 80 | if err != nil { 81 | return secrets, err 82 | } 83 | 84 | var secretList []string 85 | err = json.Unmarshal(r.Data["keys"], &secretList) 86 | if err != nil { 87 | return secrets, fmt.Errorf("error listing secrets") 88 | } 89 | 90 | return secretList, nil 91 | } 92 | 93 | func (v Vault) makeRequest(requestType string, path string, params string) (response Secret, err error) { 94 | url := fmt.Sprintf("%s%s", v.Hostname, path) 95 | 96 | req, err := http.NewRequest(requestType, url, bytes.NewBufferString(params)) 97 | if err != nil { 98 | return Secret{}, err 99 | } 100 | 101 | if v.AccessToken != "" { 102 | req.Header.Set("X-Vault-Token", v.AccessToken) 103 | } 104 | 105 | client := http.Client{} 106 | 107 | r, err := client.Do(req) 108 | if err != nil { 109 | return Secret{}, err 110 | } 111 | defer r.Body.Close() 112 | 113 | if r.StatusCode != 200 { 114 | b := new(bytes.Buffer) 115 | b.ReadFrom(r.Body) 116 | return Secret{}, fmt.Errorf("bad response code %d %s", r.StatusCode, b.String()) 117 | } 118 | 119 | vaultResponse := Secret{} 120 | 121 | d := json.NewDecoder(r.Body) 122 | d.Decode(&vaultResponse) 123 | if err != nil { 124 | return Secret{}, err 125 | } 126 | 127 | return vaultResponse, nil 128 | } 129 | -------------------------------------------------------------------------------- /vault/vault_test.go: -------------------------------------------------------------------------------- 1 | package vault 2 | 3 | import ( 4 | "encoding/json" 5 | "github.com/stretchr/testify/assert" 6 | "net/http" 7 | "net/http/httptest" 8 | "testing" 9 | ) 10 | 11 | func TestVault_GetAccessToken(t *testing.T) { 12 | ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { 13 | assert.Equal(t, "POST", r.Method, "HTTP Method should be correct") 14 | assert.Equal(t, "/v1/auth/approle/login", r.RequestURI, "URI should be correct") 15 | 16 | login := AppRole{} 17 | d := json.NewDecoder(r.Body) 18 | d.Decode(&login) 19 | 20 | if login.SecretId == "" { 21 | w.WriteHeader(400) 22 | return 23 | } 24 | 25 | assert.Equal(t, "roleId", login.RoleId, "RoleID should be transmitted correctly") 26 | assert.Equal(t, "secretId", login.SecretId, "SecretID should be transmitted correctly") 27 | 28 | w.Write([]byte(`{"auth": {"client_token": "accessToken"}}`)) 29 | })) 30 | defer ts.Close() 31 | 32 | ar := AppRole{RoleId: "roleId", SecretId: "secretId"} 33 | v := Vault{Hostname: ts.URL, AppRole: ar} 34 | 35 | v.GetAccessToken() 36 | assert.Equal(t, "accessToken", v.AccessToken, "Correct Access Token should be returned") 37 | 38 | v.AppRole.SecretId = "" 39 | e := v.GetAccessToken() 40 | assert.NotNil(t, e, "should produce error if no SecretId was passed") 41 | } 42 | 43 | func TestVault_ListSecrets(t *testing.T) { 44 | ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { 45 | assert.Equal(t, "LIST", r.Method, "HTTP Method should be correct") 46 | assert.Equal(t, "/v1/mount/", r.RequestURI, "URI should be correct") 47 | assert.Equal(t, "accessToken", r.Header.Get("X-Vault-Token"), "should contain correct Access Token") 48 | 49 | w.Write([]byte(`{"data": {"keys": ["testSecret1", "testSecret2"]}}`)) 50 | })) 51 | defer ts.Close() 52 | 53 | ar := AppRole{RoleId: "roleId", SecretId: "secretId"} 54 | v := Vault{Hostname: ts.URL, AppRole: ar, AccessToken: "accessToken", SecretMount: "/mount/"} 55 | 56 | s, err := v.ListSecrets() 57 | assert.Nil(t, err, "should not produce error") 58 | 59 | expected := []string{ 60 | "testSecret1", 61 | "testSecret2", 62 | } 63 | 64 | assert.Equal(t, expected, s, "should return correct secrets") 65 | } 66 | 67 | func TestVault_GetSecret(t *testing.T) { 68 | ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { 69 | assert.Equal(t, "GET", r.Method, "HTTP Method should be correct") 70 | assert.Equal(t, "/v1/mount/testSecret1", r.RequestURI, "URI should be correct") 71 | assert.Equal(t, "accessToken", r.Header.Get("X-Vault-Token"), "should contain correct Access Token") 72 | 73 | w.Write([]byte(`{"data": {"secretKey1": "secretValue1", "secretKey2": {"secretKey2Sub1":"secret2Sub1Value"}, "secretKey3": ["1",2]}}`)) 74 | })) 75 | defer ts.Close() 76 | 77 | ar := AppRole{RoleId: "roleId", SecretId: "secretId"} 78 | v := Vault{Hostname: ts.URL, AppRole: ar, AccessToken: "accessToken", SecretMount: "/mount/"} 79 | 80 | s, err := v.GetSecret("testSecret1") 81 | assert.Nil(t, err, "should not produce error") 82 | 83 | expected := SecretData{ 84 | "secretKey1": "secretValue1", 85 | "secretKey2": `{"secretKey2Sub1":"secret2Sub1Value"}`, 86 | "secretKey3": "[\"1\",2]", 87 | } 88 | 89 | assert.Equal(t, expected, s, "should unmarshal secret values correctly") 90 | } 91 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # vaulter-white 2 | A tool to pass Vault secrets to other processes via environment variables. 3 | 4 | [![Build Status](https://travis-ci.org/cosmonawt/vaulter-white.svg?branch=master)](https://travis-ci.org/cosmonawt/vaulter-white) 5 | [![Go Report Card](https://goreportcard.com/badge/github.com/cosmonawt/vaulter-white)](https://goreportcard.com/report/github.com/cosmonawt/vaulter-white) 6 | 7 | ## About 8 | vaulter-white reads secrets from [Vault](https://vaultproject.io) and passes them into a newly spawned process using environment variables. 9 | It is particularly useful in containerized applications. For example it can be set as the `ENTRYPOINT` in a Docker container to retrieve production Keys for your App. 10 | After loading the secrets into the environment (while also including all existing variables) it will replace itself with a freshly spawned instance of the configurable process. 11 | 12 | _Note:_ At the moment only [AppRole](https://www.vaultproject.io/docs/auth/approle.html) authentication is supported. 13 | 14 | ## Configuration 15 | vaulter-white is configured via vaulter-white.yaml which will be read from the current directory if not specified otherwise using the `-c` flag. 16 | 17 | _Example:_ 18 | ```yaml 19 | command: ["bash", "-c", "env"] # Specifies the command to run after loading the secrets. 20 | host: http://vault.rocks:8200 # Host of Vault server. 21 | hostEnv: HOST # If "host" is not set, it will be read from this environment variable. 22 | roleId: myAppRole # RoleID for AppRole Authentication in Vault. 23 | roleIdEnv: ROLE_ID # If "roleId" is not set, it will be read from this environment variable. 24 | secretId: mySuperSecretId # SecretID for AppRole Authentication in Vault. 25 | secretIdEnv: SECRET_ID # If "secretId" is not set, it will be read from this environment variable. 26 | secretMount: /secret/appConfig/ # "secretMount" contains the path to the secret backend holding your keys in Vault. 27 | secrets: # "secrets" is a collection of environment variable name overrides for each key. 28 | awsConfig: 29 | region: AWS_REGION 30 | access_key_id: AWS_KEY_ID 31 | secret_access_key: AWS_SECRET_KEY 32 | googleAPI: 33 | apiKey: GOOGLE_API_KEY 34 | 35 | ``` 36 | 37 | - `command` is optional and can be passed as command line argument as well (for example: `vaulter-white -c config.yaml bash -c env`). 38 | - `host` will be read from the environment if not set (either by looking at `hostEnv` or using `VAULT_HOST` as a fallback). This makes it easy to include vaulter-white in Docker images that are built by CI. 39 | - `secretId` will also be read from the environment if not set (either by looking at `secretIdEnv` or using `VAULT_SECRET_ID` as a fallback). 40 | - `roleId` will also be read from the environment if not set (either by looking at `roleIdEnv` or using `VAULT_ROLE_ID` as a fallback). 41 | - `secrets` is optional as well. Any keys not listed there will be exported as `SECRETNAME_KEY=value`. 42 | 43 | _Note:_ Secret values should always store flat data types and no marshaled data (e.g JSON Objects). Values that are not strings will be exported as JSON. 44 | 45 | ## Run 46 | 47 | To pass the configuration use the `-c` flag: `vaulter-white -c configuration.yaml` 48 | If no command was specified in the configuration it should be passed as a commandline argument: `vaulter-white -c config.yaml bash -c env` 49 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Mozilla Public License Version 2.0 2 | ================================== 3 | 4 | 1. Definitions 5 | -------------- 6 | 7 | 1.1. "Contributor" 8 | means each individual or legal entity that creates, contributes to 9 | the creation of, or owns Covered Software. 10 | 11 | 1.2. "Contributor Version" 12 | means the combination of the Contributions of others (if any) used 13 | by a Contributor and that particular Contributor's Contribution. 14 | 15 | 1.3. "Contribution" 16 | means Covered Software of a particular Contributor. 17 | 18 | 1.4. "Covered Software" 19 | means Source Code Form to which the initial Contributor has attached 20 | the notice in Exhibit A, the Executable Form of such Source Code 21 | Form, and Modifications of such Source Code Form, in each case 22 | including portions thereof. 23 | 24 | 1.5. "Incompatible With Secondary Licenses" 25 | means 26 | 27 | (a) that the initial Contributor has attached the notice described 28 | in Exhibit B to the Covered Software; or 29 | 30 | (b) that the Covered Software was made available under the terms of 31 | version 1.1 or earlier of the License, but not also under the 32 | terms of a Secondary License. 33 | 34 | 1.6. "Executable Form" 35 | means any form of the work other than Source Code Form. 36 | 37 | 1.7. "Larger Work" 38 | means a work that combines Covered Software with other material, in 39 | a separate file or files, that is not Covered Software. 40 | 41 | 1.8. "License" 42 | means this document. 43 | 44 | 1.9. "Licensable" 45 | means having the right to grant, to the maximum extent possible, 46 | whether at the time of the initial grant or subsequently, any and 47 | all of the rights conveyed by this License. 48 | 49 | 1.10. "Modifications" 50 | means any of the following: 51 | 52 | (a) any file in Source Code Form that results from an addition to, 53 | deletion from, or modification of the contents of Covered 54 | Software; or 55 | 56 | (b) any new file in Source Code Form that contains any Covered 57 | Software. 58 | 59 | 1.11. "Patent Claims" of a Contributor 60 | means any patent claim(s), including without limitation, method, 61 | process, and apparatus claims, in any patent Licensable by such 62 | Contributor that would be infringed, but for the grant of the 63 | License, by the making, using, selling, offering for sale, having 64 | made, import, or transfer of either its Contributions or its 65 | Contributor Version. 66 | 67 | 1.12. "Secondary License" 68 | means either the GNU General Public License, Version 2.0, the GNU 69 | Lesser General Public License, Version 2.1, the GNU Affero General 70 | Public License, Version 3.0, or any later versions of those 71 | licenses. 72 | 73 | 1.13. "Source Code Form" 74 | means the form of the work preferred for making modifications. 75 | 76 | 1.14. "You" (or "Your") 77 | means an individual or a legal entity exercising rights under this 78 | License. For legal entities, "You" includes any entity that 79 | controls, is controlled by, or is under common control with You. For 80 | purposes of this definition, "control" means (a) the power, direct 81 | or indirect, to cause the direction or management of such entity, 82 | whether by contract or otherwise, or (b) ownership of more than 83 | fifty percent (50%) of the outstanding shares or beneficial 84 | ownership of such entity. 85 | 86 | 2. License Grants and Conditions 87 | -------------------------------- 88 | 89 | 2.1. Grants 90 | 91 | Each Contributor hereby grants You a world-wide, royalty-free, 92 | non-exclusive license: 93 | 94 | (a) under intellectual property rights (other than patent or trademark) 95 | Licensable by such Contributor to use, reproduce, make available, 96 | modify, display, perform, distribute, and otherwise exploit its 97 | Contributions, either on an unmodified basis, with Modifications, or 98 | as part of a Larger Work; and 99 | 100 | (b) under Patent Claims of such Contributor to make, use, sell, offer 101 | for sale, have made, import, and otherwise transfer either its 102 | Contributions or its Contributor Version. 103 | 104 | 2.2. Effective Date 105 | 106 | The licenses granted in Section 2.1 with respect to any Contribution 107 | become effective for each Contribution on the date the Contributor first 108 | distributes such Contribution. 109 | 110 | 2.3. Limitations on Grant Scope 111 | 112 | The licenses granted in this Section 2 are the only rights granted under 113 | this License. No additional rights or licenses will be implied from the 114 | distribution or licensing of Covered Software under this License. 115 | Notwithstanding Section 2.1(b) above, no patent license is granted by a 116 | Contributor: 117 | 118 | (a) for any code that a Contributor has removed from Covered Software; 119 | or 120 | 121 | (b) for infringements caused by: (i) Your and any other third party's 122 | modifications of Covered Software, or (ii) the combination of its 123 | Contributions with other software (except as part of its Contributor 124 | Version); or 125 | 126 | (c) under Patent Claims infringed by Covered Software in the absence of 127 | its Contributions. 128 | 129 | This License does not grant any rights in the trademarks, service marks, 130 | or logos of any Contributor (except as may be necessary to comply with 131 | the notice requirements in Section 3.4). 132 | 133 | 2.4. Subsequent Licenses 134 | 135 | No Contributor makes additional grants as a result of Your choice to 136 | distribute the Covered Software under a subsequent version of this 137 | License (see Section 10.2) or under the terms of a Secondary License (if 138 | permitted under the terms of Section 3.3). 139 | 140 | 2.5. Representation 141 | 142 | Each Contributor represents that the Contributor believes its 143 | Contributions are its original creation(s) or it has sufficient rights 144 | to grant the rights to its Contributions conveyed by this License. 145 | 146 | 2.6. Fair Use 147 | 148 | This License is not intended to limit any rights You have under 149 | applicable copyright doctrines of fair use, fair dealing, or other 150 | equivalents. 151 | 152 | 2.7. Conditions 153 | 154 | Sections 3.1, 3.2, 3.3, and 3.4 are conditions of the licenses granted 155 | in Section 2.1. 156 | 157 | 3. Responsibilities 158 | ------------------- 159 | 160 | 3.1. Distribution of Source Form 161 | 162 | All distribution of Covered Software in Source Code Form, including any 163 | Modifications that You create or to which You contribute, must be under 164 | the terms of this License. You must inform recipients that the Source 165 | Code Form of the Covered Software is governed by the terms of this 166 | License, and how they can obtain a copy of this License. You may not 167 | attempt to alter or restrict the recipients' rights in the Source Code 168 | Form. 169 | 170 | 3.2. Distribution of Executable Form 171 | 172 | If You distribute Covered Software in Executable Form then: 173 | 174 | (a) such Covered Software must also be made available in Source Code 175 | Form, as described in Section 3.1, and You must inform recipients of 176 | the Executable Form how they can obtain a copy of such Source Code 177 | Form by reasonable means in a timely manner, at a charge no more 178 | than the cost of distribution to the recipient; and 179 | 180 | (b) You may distribute such Executable Form under the terms of this 181 | License, or sublicense it under different terms, provided that the 182 | license for the Executable Form does not attempt to limit or alter 183 | the recipients' rights in the Source Code Form under this License. 184 | 185 | 3.3. Distribution of a Larger Work 186 | 187 | You may create and distribute a Larger Work under terms of Your choice, 188 | provided that You also comply with the requirements of this License for 189 | the Covered Software. If the Larger Work is a combination of Covered 190 | Software with a work governed by one or more Secondary Licenses, and the 191 | Covered Software is not Incompatible With Secondary Licenses, this 192 | License permits You to additionally distribute such Covered Software 193 | under the terms of such Secondary License(s), so that the recipient of 194 | the Larger Work may, at their option, further distribute the Covered 195 | Software under the terms of either this License or such Secondary 196 | License(s). 197 | 198 | 3.4. Notices 199 | 200 | You may not remove or alter the substance of any license notices 201 | (including copyright notices, patent notices, disclaimers of warranty, 202 | or limitations of liability) contained within the Source Code Form of 203 | the Covered Software, except that You may alter any license notices to 204 | the extent required to remedy known factual inaccuracies. 205 | 206 | 3.5. Application of Additional Terms 207 | 208 | You may choose to offer, and to charge a fee for, warranty, support, 209 | indemnity or liability obligations to one or more recipients of Covered 210 | Software. However, You may do so only on Your own behalf, and not on 211 | behalf of any Contributor. You must make it absolutely clear that any 212 | such warranty, support, indemnity, or liability obligation is offered by 213 | You alone, and You hereby agree to indemnify every Contributor for any 214 | liability incurred by such Contributor as a result of warranty, support, 215 | indemnity or liability terms You offer. You may include additional 216 | disclaimers of warranty and limitations of liability specific to any 217 | jurisdiction. 218 | 219 | 4. Inability to Comply Due to Statute or Regulation 220 | --------------------------------------------------- 221 | 222 | If it is impossible for You to comply with any of the terms of this 223 | License with respect to some or all of the Covered Software due to 224 | statute, judicial order, or regulation then You must: (a) comply with 225 | the terms of this License to the maximum extent possible; and (b) 226 | describe the limitations and the code they affect. Such description must 227 | be placed in a text file included with all distributions of the Covered 228 | Software under this License. Except to the extent prohibited by statute 229 | or regulation, such description must be sufficiently detailed for a 230 | recipient of ordinary skill to be able to understand it. 231 | 232 | 5. Termination 233 | -------------- 234 | 235 | 5.1. The rights granted under this License will terminate automatically 236 | if You fail to comply with any of its terms. However, if You become 237 | compliant, then the rights granted under this License from a particular 238 | Contributor are reinstated (a) provisionally, unless and until such 239 | Contributor explicitly and finally terminates Your grants, and (b) on an 240 | ongoing basis, if such Contributor fails to notify You of the 241 | non-compliance by some reasonable means prior to 60 days after You have 242 | come back into compliance. Moreover, Your grants from a particular 243 | Contributor are reinstated on an ongoing basis if such Contributor 244 | notifies You of the non-compliance by some reasonable means, this is the 245 | first time You have received notice of non-compliance with this License 246 | from such Contributor, and You become compliant prior to 30 days after 247 | Your receipt of the notice. 248 | 249 | 5.2. If You initiate litigation against any entity by asserting a patent 250 | infringement claim (excluding declaratory judgment actions, 251 | counter-claims, and cross-claims) alleging that a Contributor Version 252 | directly or indirectly infringes any patent, then the rights granted to 253 | You by any and all Contributors for the Covered Software under Section 254 | 2.1 of this License shall terminate. 255 | 256 | 5.3. In the event of termination under Sections 5.1 or 5.2 above, all 257 | end user license agreements (excluding distributors and resellers) which 258 | have been validly granted by You or Your distributors under this License 259 | prior to termination shall survive termination. 260 | 261 | ************************************************************************ 262 | * * 263 | * 6. Disclaimer of Warranty * 264 | * ------------------------- * 265 | * * 266 | * Covered Software is provided under this License on an "as is" * 267 | * basis, without warranty of any kind, either expressed, implied, or * 268 | * statutory, including, without limitation, warranties that the * 269 | * Covered Software is free of defects, merchantable, fit for a * 270 | * particular purpose or non-infringing. The entire risk as to the * 271 | * quality and performance of the Covered Software is with You. * 272 | * Should any Covered Software prove defective in any respect, You * 273 | * (not any Contributor) assume the cost of any necessary servicing, * 274 | * repair, or correction. This disclaimer of warranty constitutes an * 275 | * essential part of this License. No use of any Covered Software is * 276 | * authorized under this License except under this disclaimer. * 277 | * * 278 | ************************************************************************ 279 | 280 | ************************************************************************ 281 | * * 282 | * 7. Limitation of Liability * 283 | * -------------------------- * 284 | * * 285 | * Under no circumstances and under no legal theory, whether tort * 286 | * (including negligence), contract, or otherwise, shall any * 287 | * Contributor, or anyone who distributes Covered Software as * 288 | * permitted above, be liable to You for any direct, indirect, * 289 | * special, incidental, or consequential damages of any character * 290 | * including, without limitation, damages for lost profits, loss of * 291 | * goodwill, work stoppage, computer failure or malfunction, or any * 292 | * and all other commercial damages or losses, even if such party * 293 | * shall have been informed of the possibility of such damages. This * 294 | * limitation of liability shall not apply to liability for death or * 295 | * personal injury resulting from such party's negligence to the * 296 | * extent applicable law prohibits such limitation. Some * 297 | * jurisdictions do not allow the exclusion or limitation of * 298 | * incidental or consequential damages, so this exclusion and * 299 | * limitation may not apply to You. * 300 | * * 301 | ************************************************************************ 302 | 303 | 8. Litigation 304 | ------------- 305 | 306 | Any litigation relating to this License may be brought only in the 307 | courts of a jurisdiction where the defendant maintains its principal 308 | place of business and such litigation shall be governed by laws of that 309 | jurisdiction, without reference to its conflict-of-law provisions. 310 | Nothing in this Section shall prevent a party's ability to bring 311 | cross-claims or counter-claims. 312 | 313 | 9. Miscellaneous 314 | ---------------- 315 | 316 | This License represents the complete agreement concerning the subject 317 | matter hereof. If any provision of this License is held to be 318 | unenforceable, such provision shall be reformed only to the extent 319 | necessary to make it enforceable. Any law or regulation which provides 320 | that the language of a contract shall be construed against the drafter 321 | shall not be used to construe this License against a Contributor. 322 | 323 | 10. Versions of the License 324 | --------------------------- 325 | 326 | 10.1. New Versions 327 | 328 | Mozilla Foundation is the license steward. Except as provided in Section 329 | 10.3, no one other than the license steward has the right to modify or 330 | publish new versions of this License. Each version will be given a 331 | distinguishing version number. 332 | 333 | 10.2. Effect of New Versions 334 | 335 | You may distribute the Covered Software under the terms of the version 336 | of the License under which You originally received the Covered Software, 337 | or under the terms of any subsequent version published by the license 338 | steward. 339 | 340 | 10.3. Modified Versions 341 | 342 | If you create software not governed by this License, and you want to 343 | create a new license for such software, you may create and use a 344 | modified version of this License if you rename the license and remove 345 | any references to the name of the license steward (except to note that 346 | such modified license differs from this License). 347 | 348 | 10.4. Distributing Source Code Form that is Incompatible With Secondary 349 | Licenses 350 | 351 | If You choose to distribute Source Code Form that is Incompatible With 352 | Secondary Licenses under the terms of this version of the License, the 353 | notice described in Exhibit B of this License must be attached. 354 | 355 | Exhibit A - Source Code Form License Notice 356 | ------------------------------------------- 357 | 358 | This Source Code Form is subject to the terms of the Mozilla Public 359 | License, v. 2.0. If a copy of the MPL was not distributed with this 360 | file, You can obtain one at http://mozilla.org/MPL/2.0/. 361 | 362 | If it is not possible or desirable to put the notice in a particular 363 | file, then You may include the notice in a location (such as a LICENSE 364 | file in a relevant directory) where a recipient would be likely to look 365 | for such a notice. 366 | 367 | You may add additional accurate notices of copyright ownership. 368 | 369 | Exhibit B - "Incompatible With Secondary Licenses" Notice 370 | --------------------------------------------------------- 371 | 372 | This Source Code Form is "Incompatible With Secondary Licenses", as 373 | defined by the Mozilla Public License, v. 2.0. 374 | --------------------------------------------------------------------------------