/vault_config_provider

An Elixir Release Config Provider to pull vault secrets into app env.

Primary LanguageElixirMIT LicenseMIT

VaultConfigProvider

Module Version Hex Docs Total Download License Last Updated

VaultConfigProvider is an Elixir release config provider for loading secrets from Vault into app env at runtime.

Built for Vaultex.

Installation

The package can be installed by adding :vault_config_provider to your list of dependencies in mix.exs:

def deps do
  [
    {:vault_config_provider, "~> 0.4.0"}
  ]
end

Configure your release and add VaultConfigProvider as a config provider:

def project
  [
    releases: [
      config_providers: [{VaultConfigProvider, nil}]
    ]
  ]

Configuration

Read the Vaultex docs, and configure vaultex with your vault address and credentials. The Vault address can be set from the system environment or application environment.

VaultConfigProvider assumes vault auth credentials are already set in application environment by earlier config providers.

config :vaultex,
  auth: {:kubernetes, %{jwt: File.read!("/tmp/token"), role: "my_role"}},
  vault_addr: "http://127.0.0.1"

# or

config :vaultex,
  auth: {:token, {"root"}}

Usage

The provider will resolve secrets stored matching two patterns: strings or keyword lists. Keyword lists can contain transformations.

config :my_app,
  username: "secret:secret/services/my_app key=username"
  
  username: "vault:secret/services/my_app#username"

  username: [
    path: "secret/services/my_app",
    key: "username",
    fun: &String.upcase/1
  ]

  user_config: "secret:secret/services/my_app" # %{"key" => "username}

A string address is expected to include secret:/path and key=key_name or vault:path and #key_name

A keyword address must contain the keys key and path and may contain optional fun function which will be applied to any returned values

Copyright and License

Copyright (c) 2018 7Mind GmbH

This library licensed under the MIT license.