An example @hashicorp Vault token helper for Mac OS X Keychain.
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Failed to load latest commit information.
.github Create reaction.yml Aug 3, 2018
scripts Initial commit Oct 25, 2017
.gitignore Initial commit Oct 25, 2017
Gopkg.lock Initial commit Oct 25, 2017
Gopkg.toml Initial commit Oct 25, 2017
LICENSE Initial commit Oct 25, 2017
Makefile Initial commit Oct 25, 2017 Initial commit Oct 25, 2017
main.go Initial commit Oct 25, 2017

Vault Token Helper for OS X Keychain

This is sample code and a proof-of-concept for creating an external HashiCorp Vault Token Helper.

By default, Vault authenticates users locally and caches their token in ~/.vault-token. For shared systems or systems where security is paramount, this may not be ideal. Fortunately, this storage mechanism is an abstraction known as a "token helper".

This code demonstrates one possible example of an external token helper. When requesting or storing a token, Vault delegates to this binary.


  1. Download and install the binary from GitHub. I supplied both a signed DMG with my personal Apple Developer ID or you can download the binary directly. If neither of those options suffice, you can audit and compile the code yourself.

  2. Put the binary somewhere on disk, like ~/.vault.d/token-helpers:

    $ mv vault-token-helper ~/.vault.d/token-helpers/vault-token-helper
  3. Create a Vault configuration file at ~/.vault with the contents:

    token_helper = "/Users/<your username>/.vault.d/token-helpers/vault-token-helper"

    Be sure to replace <your username> with your username. The value must be a full path (you cannot use a relative path).

    The local CLI will automatically pickup this configuration value.


  1. Use Vault normally. Commands like vault auth will automatically delegate to keychain access.


There's a handy scripts/ that will start a Vault server in development mode pre-configured with the token helper.

License & Author

This project is licensed under the MIT license by Seth Vargo (