-
Notifications
You must be signed in to change notification settings - Fork 1
/
vault-sync.example.yaml
69 lines (56 loc) · 2.43 KB
/
vault-sync.example.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
# Configuration file for vault-sync
# https://github.com/pbchekin/vault-sync
# Name for this vault-sync instance. If there are multiple vault-sync instances running for the same
# source Vault, then this name must be unique for each instance.
id: vault-sync
# Time between full syncs. The full sync usually runs when vault-sync starts, then vault-sync only
# apply changes for the secrets. However, vault-sync also does the full sync every this interval.
# It does not do any changes to the destination, if the source secrets are not changed.
full_sync_interval: 3600 # 1h
# Optional address and port for this vault-sync to listen for the Vault audit log. Set this if you
# are planning to use the Vault audit device.
# bind: 0.0.0.0:8202
# Source Vault configuration to sync secrets from.
src:
# Vault URL
url: http://127.0.0.1:8200/
# Prefix for secrets: only secrets with path starting from this prefix will be synchronized with
# the target Vault. Use empty string ("") for all secrets.
prefix: ""
# Path for the secrets engine, default is "secret".
# backend: secret
# Secrets engine version, default is 2.
# version: 2
# Vault Token auth method
# Set token (or environment variable VAULT_SYNC_SRC_TOKEN)
# token: ***
# token_ttl: 86400 # optional, 12h
# Vault AppRole auth method
# Set role_id and secret_id (or environment variables VAULT_SYNC_SRC_ROLE_ID and VAULT_SYNC_SRC_SECRET_ID)
# role_id: ***
# secret_id: ***
# token_ttl: 86400 # optional, 12h
# token_max_ttl: 2764800 # 32d
# Destination Vault configuration to sync secrets to.
dst:
# Vault URL
url: http://127.0.0.1:8200/
# Prefix for secrets: this prefix will replace the corresponding prefix from the 'src' section.
# This allows syncing a tree of secrets to a non overlapping tree in the same Vault.
# For example: if src.prefix is "src" and dst.prefix is "dst", then secret "src/secret1" will be
# synced to "dst/secret1".
prefix: ""
# Path for the secrets engine, default is "secret".
# backend: secret
# Secrets engine version, default is 2.
# version: 2
# Vault Token auth method
# Set token (or environment variable VAULT_SYNC_DST_TOKEN)
# token: ***
# token_ttl: 86400 # optional, 12h
# Vault AppRole auth method
# Set role_id and secret_id (or environment variables VAULT_SYNC_DST_ROLE_ID and VAULT_SYNC_DST_SECRET_ID)
# role_id: ***
# secret_id: ***
# token_ttl: 86400 # optional, 12h
# token_max_ttl: 2764800 # 32d