1.7 KiB
1.7 KiB
c4c-secrets
A dive into secret management for c4c web-app
HashiCorp vault
-
docker-compose.yml
->docker-compose.hashicorp.yml
- Uses in-file store (maybe slow/unreliable!)
- Can be migrated to AWS in the future
-
Pretty good cli experience
-
You could try my (@Pegasust) deployment at pegasust.com/vault
- Log in with your GitHub account (this is done with personal access token docs)
- Make sure that you're in our change-for-change organization
- And also is in web-dev GitHub team
Installing the CLI
See here hashicorp's official installtion guide
- You could also access the secrets with the web UI. But to streamline the env exchange process, we should use the CLI
Login as user (CLI)
export VAULT_ADDR='https://c4c.pegasust.com'
vault login -method=github
Vault onto .env*
vault kv get --format=json path/to/secret | jq -r '.data|to_entries|map("\(.key)=\(.value|tostring)")|.[]'
# Likely
vault kv get --format=json secret/c4c-web-app | jq -r '.data|to_entries|map("\(.key)=\(.value|tostring)")|.[]'
Simple put-get-list
# put
vault kv put path/to/secret hello="world"
# get
vault kv get path/to/secret hello
# list
vault kv get path/to/secret
.env.*
onto Vault
- NOTE: This does not support syntax like
HELLO='WORLD'
. Everything must be in the form of:HELLO=WORLD
vault kv put path/to/secret `cat .env`
# Likely
vault kv put secret/c4c-web-app `grep -v ^# .env`
About the cubbyhole
secret engine
- It is per-token (that means per-auth) secret storage
- Can be used as secret manager
- Don't count on my deployment to be 100% reliable!