'Hashicorp Vault inject directory

I want to inject a whole directory using the agent injector.

I would, firstly, like to know if this is even possible.

I will explain myself:

I have this secrets directory: /secret/dev/app/ and under app, I have aws/some_secrets, db/some_secrets, etc...

Is it possible to inject the app directory without having the full secret name?

devopshashicorp-vault


Solution 1:[1]

I would say take a look at Agent Templates.

If you take a look at step 7 of the tutorial:

{{ with secret "secret/data/customers/acme" }}
Organization: {{ .Data.data.organization }}
ID: {{ .Data.data.customer_id }}
Contact: {{ .Data.data.contact_email }}
{{ end }}

You could simply template this template file with a script then run the agent. But your script that generates the dynamic template file would have to do some heavy lifting...

List all secrets under a KV v2 basepath (if the engine mount path has no / characters in it):

#!/usr/bin/env bash
listall() {
  kv2opt="/metadata"
  if [ "${1}" = "-kv2" ]; then
    kv2opt="/metadata"
    shift
  elif [ "${1}" = "-kv1" ]; then
    kv2opt=""
    shift
  fi
  sarg=$(printf '%s' "${1}" | sed -E 's~/*$~~g' | sed -E 's~^/*~~g')
  engine=$(printf '%s' "${sarg}" | cut -d/ -f1 )
  if [ "$(printf '%s' "${sarg}" | cut -d/ -f2)" = "metadata" ]; then
    vpath=$(printf '%s' "${sarg}" | sed -E "s~^${engine}/metadata/?~~g" )
  else
    vpath=$(printf '%s' "${sarg}" | sed -E "s~^${engine}/?~~g" )
  fi
  curl -s -H "X-Vault-Request: true" -H "X-Vault-Token: ${VAULT_TOKEN}" --request LIST \
    "${VAULT_ADDR}/v1/${engine}${kv2opt}/${vpath}" | jq -rc '.data.keys[]' | while IFS= read -r li; do
    if [ "${li: -1}" != "/" ]; then
      printf "%s/%s\n" "${sarg}" "${li}"
    else
      listall "${sarg}/${li}"
    fi
  done
}
listall -kv2 "secret/dev/app" | while IFS= read -r path; do
  cat << EOF >> template.tpl
{{ with secret "${path}" }}
${path}: {{ .Data.data }}
{{ end }}
EOF
done

...and then maybe run the resultant template.tpl file through the Vault Agent using the template process. But that's pretty useless if things have to be read by a machine after the template finishes, so you may need to have a new loop read each secret to figure out what the keys are on each secret. And then do some advanced formatting. However, the way you structured your question, this technically answers it, and you can figure out how to do the rest (or reframe your question, or ask a new question).

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1

Related Questions

What is the correct way to setup multiple logically organized sub folders in a terraform repo?

How do i setup Slack Notifications for Gitlab scheduled pipelines only?

How do i setup Slack Notifications for Gitlab scheduled pipelines only?

Whats the brief factual difference between Kubernetes, Helm and Rancher (and others) [closed]

Can't see reason for Compiling… Compilation failed: (Executor::NonZeroExitStatus)

kubernetes ingress service annotations

Is it possible the restart a docker container which it's network deleted?

Is it possible the restart a docker container which it's network deleted?

How to configure/disable file caching in WebLogic 12.2

Azure DevOps Build/Release Pipeline Transform

Is it possible to create a new Cloudflare Pages project without associating an existing GitHub project?

Could not create account on Rancher?

permission denied while building project in jenkins . /tmp/jenkins7547483698503669612.sh: line 2: /root/hello.sh: Permission denied

GitHub Actions - parallel self-hosted runners on the same machine

why does connect domain to "Shopify" ask for either CNAME and A Record?