Skip to content
This repository has been archived by the owner on Jun 27, 2024. It is now read-only.

Glue for Trusted Third Parties & Hashicorp Vault

License

Notifications You must be signed in to change notification settings

securityscorecard/vault-vouch

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

32 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

vault-vouch Build Status

This tool is designed to act as glue between a Trusted Third Party & Hashicorp Vault. The target use case is with consul-template.

The only supported Trusted Third Party is currently AWS IAM.

Usage

Command Argument Environment Variable Default Description
-role= IV_ROLE nil Role to request from Vault
-aws_arn_role= IV_AWS_ARN_ROLE nil ARN of AWS role to use for auth payload for Vault
-aws_role= IV_AWS_ROLE nil AWS role to use for auth payload for Vault - it uses the current account's credentials to build the ARN
-vault_addr= IV_VAULT_ADDR nil Vault address
-wrap_token_ttl= IV_WRAP_TOKEN_TTL 5m TTL for wrapped token, to disable wrapping set to 0

Example

export VAULT_ADDR=https://vault.contoso.com
export VAULT_TOKEN=$(vault-vouch -role="my-role")
consul-template -template "in.tpl:out.conf" -config "conf.hcl" -vault-unwrap-token -vault-renew-token=false