Vault release with CLI only

[dlmorais-pbh]

Is your feature request related to a problem? Please describe.
I work as DevOps engineer and I’m currently creating some utility OCI images to use at our DevOps workflows. One thing that a lot of different images need is the Vault CLI. And I realized that the only release option is the full solution (CLI+Server), and it’s “big” (~150mb), given that my utility images are Alpine based and usually around ~10-15mb.

Describe the solution you'd like
It would be nice to have a release of a Vault CLI without any extra features, to make it as small as possible.

Describe alternatives you've considered
To solve my problem I currently use a DIY shell script capable of read the secrets I need, currently only KV2 engines. But I might need to extend it eventually.
I was also introduced to a external tool created by the community that tries to solve this problem, but I think that a tool to perform such security driven task should be official.

Explain any additional use-cases
I think that it's possible that the Vault Agent could also benefit of this feature. Maybe in the end having 3 different types of release:

• Vault: all-in-one solution (current release type)
• Vault CLI: only the CLI
• Vault Agent: Agent daemon plus CLI, as CLI would be used internally by the Agent (possibly)

[fopinappb]

@dlmorais-pbh binaries are not even slim (#7752)...
I've made changes to get the binary client-only to 30mg if you're interested (haven't bothered to clean and open pull request as the "no symbols" one never got feedback)

[seandilda]

I'd like to reiterate the need for this. I came here to submit a very similar issue for the exact reasons @dlmorais-pbh.

I also love the idea of a separate vault agent binary (and possibly published docker image).

[sebinjohn]

Another use case is that for Enterprise binaries where the license is embedded in the binary itself, a CLI only binary will help with controlling who sets up a Vault server.

[scabala]

@fopinappb do you mind sharing your changes? I would greatly appreciate that

[fopinappb]

@scabala I'll try to create a PR with only those changes, as the modified CLI I'm using has quite a few other changes (that mean nothing upstream).

[Cajga]

Our use case is a terraform docker image in a CI pipeline which is using vault to setup the initial environment.
Although one could argue that a CI pipeline should use the API but please note that unless you are working with vault full time, it is really hard to memorize even one way of working with Vault.

[hhromic]

Another user/team here missing a CLI-only binary that is not 150mb in size for our toolset Docker images :)

[aphorise]

Hey folks what about vault-cli? - that seems just a python wrapper assuming you have python. Out of interest @dlmorais-pbh how did you proceed or did you try that vault-cli out?

If a vaultcli specific binary was provided then it could also include a man page (as noted already on #6472) as well as other additional links to the website if fitting all this into the current project repository is a challenge.

There could be a fork or module of the main repo with all unneeded dependencies stripped as well as UI, server, audit & agent specific portions of the code excluded to build a minimal vaultcli and with additions for extra man page to bundle as well as other reference material.

[dlmorais-pbh]

Hi @aphorise, first of all, I did not try vault-cli because it is not official, and in my specific case the managers do not want a non-official tool to be used to read secrets.

As for how did I proceed, I created a shell script that performs the steps I need using Vault's HTTP API. It is very lightweight, of course, but limited only to the few scenarios used in my continuous integration.

Ps.: Here is the link to the discussion that led to opening this issue: https://discuss.hashicorp.com/t/vault-cli-without-server/16222

[hhromic]

Hi @aphorise , thanks for keeping up with this issue.

Like @dlmorais-pbh , we also didn't try vault-cli. In our case, we need the Vault CLI tool to be inside small Docker images that do not already use Python. Therefore, adding Python as a dependency bloats the image up and thus, in that case, we better then just use the big official vault binary as vault-cli + Python defeats the purpose of small images.

Also, now that @dlmorais-pbh mentions it, we also would highly prefer an official solution for security/trust reasons.
We also are considering, for now, on simply implementing a minimal/tailored HTTP API tool based on curl + shell scripting.
But yes, this solution does not scale well to new use cases and is subject to break in the future if the API changes.

[Timost]

Hi,
Another use case I would have is to be able to talk to a distant vault server during the init phase of VM boot to be able to fetch secrets needed later on.

I'm also currently resorting to shell scripts.