VaultConfigProvider is an Elixir release config provider for loading secrets from Vault into app env at runtime.
Built for Vaultex.
The package can be installed by adding :vault_config_provider to your list of dependencies in mix.exs:
def deps do
[
{:vault_config_provider, "~> 0.4.0"}
]
endConfigure your release and add VaultConfigProvider as a config provider:
def project
[
releases: [
config_providers: [{VaultConfigProvider, nil}]
]
]Read the Vaultex docs, and configure vaultex with your vault address and credentials. The Vault address can be set from the system environment or application environment.
VaultConfigProvider assumes vault auth credentials are already set in application environment by earlier config providers.
config :vaultex,
auth: {:kubernetes, %{jwt: File.read!("/tmp/token"), role: "my_role"}},
vault_addr: "http://127.0.0.1"
# or
config :vaultex,
auth: {:token, {"root"}}The provider will resolve secrets stored matching two patterns: strings or keyword lists. Keyword lists can contain transformations.
config :my_app,
username: "secret:secret/services/my_app key=username"
username: "vault:secret/services/my_app#username"
username: [
path: "secret/services/my_app",
key: "username",
fun: &String.upcase/1
]
user_config: "secret:secret/services/my_app" # %{"key" => "username}A string address is expected to include secret:/path and key=key_name or vault:path and #key_name
A keyword address must contain the keys key and path and may contain optional fun function which will be applied to any returned values
Copyright (c) 2018 7Mind GmbH
This library licensed under the MIT license.