credentials-to-env: Fetch secrets from Hashicorp's vault or elsewhere before
execing a program
Do you have a pre-existing program that assumes that it will receive secrets in either environment variables or files on disk? Would you like to convert that program to work with Hashicorp's Vault?
cargo install credentials_to_env
Then create a file named
Secretfile explaining where in Vault the
individual secrets can be found:
# Set environment variables based on Vault secrets. DOCKER_HUB_USER secret/docker_hub:user DOCKER_HUB_PASSWORD secret/docker_hub:password DOCKER_HUB_EMAIL secret/docker_hub:email # Create SSL key files based on Vault secrets. >$HOME/.docker/ca.pem secret/docker:ca_pem >$HOME/.docker/cert.pem secret/docker:cert_pem >$HOME/.docker/key.pem secret/docker:key_pem
Finally, prefix the invocation of your program with
credentials-to-env myprogram arg1 arg2
This will automatically fetch secrets from Vault (or any other backend supported by credentials) and write them to the specified environment variables or files.
You can also override
credentials-to-env by passing in the secrets
yourself, which is handy if you call
credentials-to-env inside a Docker
container, but want to temporarily override the secrets you'd get from
Pull requests are welcome! If you're not sure whether your idea would fit into the project's vision, please feel free to file an issue and ask us.
To build, you'll need to set up your OpenSSL paths first, as described by the Rust OpenSSL project.
To make an official release, you need to be a maintainer, and you need
cargo publish permissions. If this is the case, first edit
Cargo.toml to bump the version number, then regenerate
Commit the release, using a commit message of the format:
v<VERSION>: <SUMMARY> <RELEASE NOTES>
git tag v$VERSION git push; git push --tags cargo publish
This will rebuild the official binaries using Travis CI, and upload a new version of the crate to crates.io.