Skip to content

Latest commit

 

History

History
63 lines (44 loc) · 2.45 KB

README.rst

File metadata and controls

63 lines (44 loc) · 2.45 KB
Raw

# vaultfs Hashicorp Vault fuse filesystem

The intent for this package is to get secrets from the vault server if the secret is not found in the local path.

## Setup

`bash git clone cd vaultfs sudo python3.6 setup.py install `

## Usage

```bash usage: vaultfs.py [-h] [-c] [-m] [-l] [-r] [-s] [-p]

Vault fuse file system

optional arguments:
-h, --help show this help message and exit

-c , --config Configuration file. -m , --mountpoint where the fuse filesystem will be mounted. -l , --local credentials local path after being pulled from vault. -r , --remote Vault Server HTTPS address. -s , --secrets-path List of secrets path in the Vault server. -p , --payload .Vault authentication token

Note: arguments: "--mountpoint", "--local", "--remote", "--secetes-path" and "--payload" are required when "--config" is missing ```

This is a WIP

THis is what we want to implement

  • This module requires a mountpoint,a local path and the remote url of the hashicorp vault
  • It will also requires a: * Token (payload) that will allow vaultfs to authenticate requests made to the vault * List of secret engines from where secrets will be fetched ( this requires that the token has enought permissions to access those ). * data_key: Given that the vault will store secrets in KV2 (currently kv will not be supported) backend, we need to specify the key where the secrets are stored.

the system/human will expect files to be in the mountpoint, vaultfs will first fetch them from the vault and copy them to the local path, hitherto the system/programs/human can find the file in the expected destination.

TODO: - Make sure the mount point is empty before mounting the system/move file to th cache if possible. - Make sure the program checks vault for existing file for new version. (use hashlib) - Hardin the logging. [done] - Implement rotating token and generating them from a role id. (maybe ?) - Implement getting configs from a file (that we may put in /etc/) [done]

### Notes

Using a non Empty folder as the mountpoint fail with this error: `bash fuse: mountpoint is not empty fuse: if you are sure this is safe, use the 'nonempty' mount option ` As mentioned in the error message to work aroud this we need to add nonempty=True as a FUSE function parameter.==> Mounting to a nomempty folder cause the files in there to desappear so it makes sense to copy them somewhere else (best is in local cache)