README
¶
libvault
A lightweight Hashicorp Vault client written in Go, with no dependencies. It aims to provide an intuitive, simple API that is easy to use. Just like with the CLI.
Using the module, you currently can only read secrets from a Vault engine. This is an ongoing project, feel free to open FRs, PRs or issues.
Features
-
Supported Auth Methods:
- Tokens
- AppRole
- AwsRole (EC2 method)
-
Supported Secrets Engines:
-
Supports self-signed CA certificates
-
By default, the Vault API secrets are consumed using environment variables. You can provide them to the client if you prefer. Check the tests file for examples.
Installation
go get -d -v github.com/canidam/libvault
Usage
package main
import (
"fmt"
"github.com/canidam/libvault"
"os"
)
func main() {
//
// Example using Token
//
// If env var is not set
os.Setenv("VAULT_TOKEN", "my_token")
tokenClient, err := libvault.NewClient(SetVaultAddr("http://localhost:8200"))
if err != nil {
// handle error
}
var secret_path = "/my.secrets"
secretsUsingToken, err := tokenClient.Read(secret_path)
if err != nil {
// handle error
}
// secrets is of type map[string]string
for k, v := range secretsUsingToken {
fmt.Printf("key %s, secret %s\n", k, v)
}
//
// Example using AppRole
//
// If env var is not set
os.Setenv("VAULT_ROLE_ID", "my_role_id")
os.Setenv("VAULT_SECRET_ID", "my_secret_id")
os.Setenv("VAULT_ADDR", "http://localhost:8200")
approleClient, err := libvault.NewClient(UseApprole())
if err != nil {
// handle error
}
secretsUsingApprole, err := approleClient.Read(secret_path)
if err != nil {
// handle error
}
// secrets is of type map[string]string
for k, v := range secretsUsingApprole {
fmt.Printf("key %s, secret %s\n", k, v)
}
}
Documentation
Can be found here
Tests
Checkout the project and run
go test -v ./...
testdata/ is a special directory containing raw data for unit-tests.
tests/ includes scripts (and it's own README) for starting a dev Vault server for development.
Contributing
Pull requests are welcome. For major changes, please open an issue first to discuss what you would like to change.
If you'd like to contribute, please fork the repository and make changes as you'd like. Pull requests are warmly welcome. Please make sure to update tests as appropriate.
Roadmap
TBD
License
Documentation
¶
Index ¶
Constants ¶
const ( ApproleLoginPath = "/v1/auth/approle/login" AwsroleLoginPath = "/v1/auth/aws/login" )
const ( TokenLookupPath = "/v1/auth/token/lookup" DefaultTimeout = 10 ErrAddrMissing = "vault address is missing" ErrTokenMissing = "vault token is missing" ErrEmptyToken = "vault parsed token is empty" ErrSecretParse = "failed to parse secret" Err403Auth = "Authorization error. Check your clientToken." Err404NotFound = "Secret not found" ErrUnknown = "Unknown error" )
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Approle ¶
type Approle struct {
// contains filtered or unexported fields
}
func (Approle) LoginEndpoint ¶
func (Approle) LoginPayload ¶
type Awsrole ¶
type Awsrole struct {
// contains filtered or unexported fields
}
func (Awsrole) LoginEndpoint ¶
func (Awsrole) LoginPayload ¶
type Option ¶
type Option func(vc *VaultClient) error
func ProvideApprole ¶
ProvideApprole allows to inject Approle object to the client. Use this if you want to provide the roleId and secretId from outside, and not getting them from the environment vars.
func ProvideAwsrole ¶
ProvideAwsrole allows to inject Awsrole object to the client. Use this if you want to provide the struct fields from outside, and not getting them from the environment vars.
func SetRootCA ¶
SetRootCA configures the client with specific RootCAs to trust. Use this when you work with a vault server that uses self-signed certificates.
func SetVaultAddr ¶
SetVaultAddr configures the vault server address of the client
func UseApprole ¶
func UseApprole() Option
UseApprole configures the client with the Approle auth method. Enabling this option will read the VAULT_ROLE_ID and VAULT_SECRET_ID from environment vars
func UseAwsrole ¶
func UseAwsrole() Option
UseAwsrole configures the client with the Awsrole auth method. It reads the VAULT_ROLE, VAULT_PKCS7 and VAULT_NONCE from environment vars
type VaultClient ¶
type VaultClient struct {
// contains filtered or unexported fields
}
func NewClient ¶
func NewClient(opts ...func(v *VaultClient) error) (*VaultClient, error)
NewClient creates a new Vault client. The default client is a valid one. You can configure it using functional options. Check the vault_test.go file for examples.
func (*VaultClient) LookupToken ¶
func (c *VaultClient) LookupToken() error
LookupToken performs lookup on a token (mostly to validate it)
func (*VaultClient) Read ¶
func (c *VaultClient) Read(secretPath string) (map[string]string, error)
Read reads a single secret path from the Vault
func (*VaultClient) ReadMany ¶
func (c *VaultClient) ReadMany(secretsPaths []string) (map[string]string, error)
ReadMany reads all the secretsPaths defined, returning a single map containing all the secrets. If a secret key exists in more than a single path, the secret return is from the last path specified.
func (*VaultClient) String ¶
func (c *VaultClient) String() string
Source Files