
Load secret and ssh certificate from Hashicorp Vault

Capistrano Vault

Provide capistrano access your Hashicrop Vault server to signature certificate to ssh into server, or read access token saved in Vault.


Add this line to your application's Gemfile:

gem 'capistrano-vault'


SSH without config

Enable SSH Plugin in Capfile

# ...
require "capistrano/vault"

# This Hook will override your ssh options to use signed key and publickey mode to ssh.
install_plugin Capistrano::Vault::SSH

Setup the options to sign

set :vault_address, 'https://vault.example.com' # If not set, it will use EVN['VAULT_ADDR']
set :vault_ssh_mount_path, 'ssh-client-signer'
set :vault_ssh_role, 'deploy'

Before running capistrano command, make sure you are already vault login

Make sure your are added the trusted ca in your server.


