leverage Vault token helpers approach while obtaining Vault token

Signed-off-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com>
sigstore · Jul 25, 2021 · 36bca1e · 36bca1e
1 parent 61c9374
commit 36bca1e
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 1 deletion.
diff --git a/go.mod b/go.mod
@@ -28,4 +28,5 @@ require (
 	google.golang.org/genproto v0.0.0-20210722135532-667f2b7c528f
 	google.golang.org/protobuf v1.27.1
 	gopkg.in/square/go-jose.v2 v2.6.0
+	github.com/mitchellh/go-homedir v1.1.0
 )
diff --git a/pkg/signature/kms/hashivault/client.go b/pkg/signature/kms/hashivault/client.go
@@ -21,13 +21,16 @@ import (
 	"encoding/base64"
 	"encoding/json"
 	"fmt"
+	"log"
 	"os"
+	"path/filepath"
 	"regexp"
 	"strings"
 	"time"
 
 	"github.com/ReneKroon/ttlcache/v2"
 	vault "github.com/hashicorp/vault/api"
+	"github.com/mitchellh/go-homedir"
 	"github.com/pkg/errors"
 	"github.com/sigstore/sigstore/pkg/cryptoutils"
 )
@@ -84,7 +87,18 @@ func newHashivaultClient(keyResourceID string) (*hashivaultClient, error) {
 
 	token := os.Getenv("VAULT_TOKEN")
 	if token == "" {
-		return nil, errors.New("VAULT_TOKEN is not set")
+		log.Printf("VAULT_TOKEN is not set, trying to read token from file at path ~/.vault-token")
+		homeDir, err := homedir.Dir()
+		if err != nil {
+			return nil, err
+		}
+
+		tokenFromFile, err := os.ReadFile(filepath.Join(homeDir, ".vault-token"))
+		if err != nil {
+			return nil, err
+		}
+
+		token = string(tokenFromFile)
 	}
 
 	client, err := vault.NewClient(&vault.Config{
@@ -94,6 +108,8 @@ func newHashivaultClient(keyResourceID string) (*hashivaultClient, error) {
 		return nil, errors.Wrap(err, "new vault client")
 	}
 
+	client.SetToken(token)
+
 	transitSecretEnginePath := os.Getenv("TRANSIT_SECRET_ENGINE_PATH")
 	if transitSecretEnginePath == "" {
 		transitSecretEnginePath = "transit"