Vault KV Provider¶
This provider fetches secrets from HashiCorp Vault’s KV secrets engine and imports them into environment variables. It represents one of the most common and straightforward use cases for secrets.env.
Tip
To streamline workflow and minimize context switching, this provider supports configuration via environment variables.
By default, it retrieves configuration from environment variables prefixed with SECRETS_ENV_
.
However, for alignment with the official Vault CLI tool, it can also be set up to read from environment variables prefixed with VAULT_
.
Configuration layout¶
[[sources]]
name = "strongbox"
type = "vault"
url = "https://vault.example.com"
proxy = "http://proxy:3128"
[sources.auth]
method = "okta"
username = "user@example.com"
[sources.tls]
ca_cert = "/path/ca.cert"
client_cert = "/path/client.cert"
client_key = "/path/client.key"
[sources.teleport]
proxy = "teleport.example.com"
cluster = "dev.example.com"
user = "demo-user"
app = "my-app"
[[secrets]]
name = "DEMO_TOKEN"
source = "strongbox"
path = "secret/default"
field = "token"
[[secrets]]
name = "NESTED_SECRET"
source = "strongbox"
path = "secret/default"
field = [
"subpath",
"to",
"secret",
]
sources:
- name: strongbox
type: vault
url: https://vault.example.com
auth:
method: okta
username: user@example.com
proxy: http://proxy:3128
tls:
ca_cert: /path/ca.cert
client_cert: /path/client.cert
client_key: /path/client.key
teleport:
proxy: teleport.example.com
cluster: dev.example.com
user: demo-user
app: my-app
secrets:
- name: DEMO_TOKEN
source: strongbox
path: secret/default
field: token
- name: NESTED_SECRET
source: strongbox
path: secret/default
field:
- subpath
- to
- secret
{
"sources": [
{
"name": "strongbox",
"type": "vault",
"url": "https://vault.example.com",
"auth": {
"method": "okta",
"username": "user@example.com"
},
"proxy": "http://proxy:3128",
"tls": {
"ca_cert": "/path/ca.cert",
"client_cert": "/path/client.cert",
"client_key": "/path/client.key"
},
"teleport": {
"proxy": "teleport.example.com",
"cluster": "dev.example.com",
"user": "demo-user",
"app": "my-app"
}
}
],
"secrets": [
{
"name": "DEMO_TOKEN",
"source": "strongbox",
"path": "secret/default",
"field": "token"
},
{
"name": "NESTED_SECRET",
"source": "strongbox",
"path": "secret/default",
"field": [
"subpath",
"to",
"secret"
]
}
]
}
[[tool.secrets-env.sources]]
name = "strongbox"
type = "vault"
url = "https://vault.example.com"
proxy = "http://proxy:3128"
[tool.secrets-env.sources.auth]
method = "okta"
username = "user@example.com"
[tool.secrets-env.sources.tls]
ca_cert = "/path/ca.cert"
client_cert = "/path/client.cert"
client_key = "/path/client.key"
[tool.secrets-env.sources.teleport]
proxy = "teleport.example.com"
cluster = "dev.example.com"
user = "demo-user"
app = "my-app"
[[tool.secrets-env.secrets]]
name = "DEMO_TOKEN"
source = "strongbox"
path = "secret/default"
field = "token"
[[tool.secrets-env.secrets]]
name = "NESTED_SECRET"
source = "strongbox"
path = "secret/default"
field = [
"subpath",
"to",
"secret",
]
Environment variables¶
- SECRETS_ENV_ADDR¶
The URL to the Vault server. Overrides the
url
field.
- SECRETS_ENV_CA_CERT¶
Path to the server side certificate for verifying responses. Overrides the
tls.ca_cert
field.
- SECRETS_ENV_CLIENT_CERT¶
Path to the client certificate for authenticating to the server. Overrides the
tls.client_cert
field.
- SECRETS_ENV_CLIENT_KEY¶
Specifies the path to the client’s private key for authenticating to the server. Overrides the
tls.client_key
field.
- SECRETS_ENV_NO_PROMPT¶
Disables the prompt for username / password when using Login auth methods.
- SECRETS_ENV_PASSWORD¶
The password to authenticate with. Used by Login auth methods.
- SECRETS_ENV_PROXY¶
Use the specified proxy to access Vault. Overrides the
proxy
field.
- SECRETS_ENV_ROLE¶
Role name used by OpenID Connect. Overrides auth.role field.
- SECRETS_ENV_TOKEN¶
The token to use for authentication. Used by Token auth method.
- SECRETS_ENV_USERNAME¶
The username to authenticate with. Overrides auth.username field.
Source section¶
A field name followed by a bookmark icon (
) indicates that it is a required parameter.
proxy
¶
Use the specified proxy to access Vault.
Could be set via environment variable SECRETS_ENV_PROXY
, VAULT_PROXY_ADDR
, VAULT_HTTP_PROXY
or uses standard proxy variables.
Important
You must specify protocol for proxy URL. A typical input could be http://proxy
or http://proxy:3128
.
Further, the proxy URL for the https://
addresses should still be http://
scheme in most cases.
tls
¶
Transport layer security (TLS) configurations.
tls.ca_cert
¶
Path to the server side certificate for verifying responses.
This value could be set via environment variable SECRETS_ENV_CA_CERT
or VAULT_CACERT
.
tls.client_cert
¶
Path to the client certificate for authenticating to the server.
This value could be set via environment variable SECRETS_ENV_CLIENT_CERT
or VAULT_CLIENT_CERT
.
tls.client_key
¶
Specifies the path to the client’s private key for authenticating to the server. If your client certificate already includes the client key in its format, please disregard this field.
This value could be set via environment variable SECRETS_ENV_CLIENT_KEY
or VAULT_CLIENT_KEY
.
teleport
¶
Configuration for Teleport integration.
teleport.proxy
¶
Address to Teleport proxy service.
teleport.cluster
¶
Teleport cluster to connect.
teleport.user
¶
Teleport user name.
Token helper¶
Vault offers a feature known as token helper, which stores the Vault token on the disk.
Secrets.env now includes support for this feature. It means you won’t have to provide the token again after the initial login until it expires.
The token helper file is shared among applications, allowing the token obtained by secrets.env to be used with the Vault CLI, and vice versa.
The token helper login attempt takes precedence over any other authentication method.
Secrets.env first attempts to use the token helper to communicate with the Vault server. If the token is not found or has expired, it will then fall back to the configured authentication method.
Secrets.env DOES NOT consider vault configuration. Instead, it solely reads the token from the default path, which is
~/.vault-token
.
Authentication methods¶
Vault enforces authentication during requests, requiring an identity to access secrets.
By specifying the auth.method field, the associated authentication method will be applied.
Login auth methods¶
Login authentication methods in secrets.env pertains to a group of authentication methods that mandate a username and password combination.
These authentication methods share the same arguments: username and password. Here are the details on how we retrieve the values:
OpenID Connect¶
- method:
oidc
Get authentication via configured OpenID Connect provider using your web browser. This method corresponds to the JWT/OIDC auth method in Vault.
Role¶
Role name. Could be retrieved via:
Environment variable
SECRETS_ENV_ROLE
From auth.role field
Token auth¶
- method:
token
Token auth is one of the simplest ways to authenticate with Vault.
It’s worth noting that secrets.env first tries to retrieve the token using the Token helper before resorting to this authentication method. This method is mainly for manual token input and accepts tokens only from environment variables.
Teleport integration¶
If your Vault is secured using Teleport, you can employ the this feature to establish a connection with Vault.
Enabling¶
Important
To use this feature, additional dependencies are needed. Please check the Teleport Support page for further information.
Once teleport configurations are configured, the Vault provider will request access from Teleport and utilize it to establish a connection to Vault.
Example¶
This configuration instructs secrets.env to request access for “my-vault” from Teleport and establish a connection to the application:
[[sources]]
type = "vault"
[sources.teleport]
proxy = "teleport.example.com"
cluster = "dev.example.com"
app = "my-vault"
sources:
type: vault
teleport:
proxy: teleport.example.com
cluster: dev.example.com
app: my-vault
Since Teleport manages the connection, any URL and TLS configuration provided in the config file will be ignored.
Configuration¶
Just like with the Teleport Provider, the app
field is always mandatory for this functionality.
Other fields are optional. Read teleport section above for more information.
Secrets section¶
The configurations within the secrets
section determine which secrets are to be read.
Simplified layout¶
This provider accepts strings in the format path#field
to represent the path and field of a value. With the simplified layout, you can define config more concisely:
[source]
type = "vault"
url = "https://vault.example.com"
auth = "oidc"
[secrets]
PROD_TOKEN = "secret/default#prod.token"
DEV_TOKEN = { path = "secret/default", field = "dev.token" }
source:
type: vault
url: https://vault.example.com
auth: oidc
secrets:
PROD_TOKEN: secret/default#prod.token
DEV_TOKEN:
path: secret/default
field: dev.token