leverage Vault token helpers approach while obtaining Vault token

Signed-off-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com>
sigstore · Jul 25, 2021 · 2d45556 · 2d45556
1 parent 61c9374
commit 2d45556
Showing 1 changed file with 17 additions and 1 deletion.
diff --git a/pkg/signature/kms/hashivault/client.go b/pkg/signature/kms/hashivault/client.go
@@ -21,13 +21,16 @@ import (
 	"encoding/base64"
 	"encoding/json"
 	"fmt"
+	"log"
 	"os"
+	"path/filepath"
 	"regexp"
 	"strings"
 	"time"
 
 	"github.com/ReneKroon/ttlcache/v2"
 	vault "github.com/hashicorp/vault/api"
+	"github.com/mitchellh/go-homedir"
 	"github.com/pkg/errors"
 	"github.com/sigstore/sigstore/pkg/cryptoutils"
 )
@@ -84,7 +87,18 @@ func newHashivaultClient(keyResourceID string) (*hashivaultClient, error) {
 
 	token := os.Getenv("VAULT_TOKEN")
 	if token == "" {
-		return nil, errors.New("VAULT_TOKEN is not set")
+		log.Printf("VAULT_TOKEN is not set, trying to read token from file at path ~/.vault-token")
+		homeDir, err := homedir.Dir()
+		if err != nil {
+			return nil, err
+		}
+
+		tokenFromFile, err := os.ReadFile(filepath.Join(homeDir, ".vault-token"))
+		if err != nil {
+			return nil, err
+		}
+
+		token = string(tokenFromFile)
 	}
 
 	client, err := vault.NewClient(&vault.Config{
@@ -94,6 +108,8 @@ func newHashivaultClient(keyResourceID string) (*hashivaultClient, error) {
 		return nil, errors.Wrap(err, "new vault client")
 	}
 
+	client.SetToken(token)
+
 	transitSecretEnginePath := os.Getenv("TRANSIT_SECRET_ENGINE_PATH")
 	if transitSecretEnginePath == "" {
 		transitSecretEnginePath = "transit"