Skip to contents

Use vault to resolve secrets. This is a convenience function that wraps a pattern that we have used in a few applications of vault. The idea is to allow replacement of data in configuration with special strings that indicate that the string refers to a vault secret. This function resolves those secrets.

Usage

vault_resolve_secrets(x, ..., login = TRUE, vault_args = NULL)

Arguments

x

List of values, some of which may refer to vault secrets (see Details for pattern). Any values that are not strings or do not match the pattern of a secret are left as-is.

...

Args to be passed to vault_client call.

login

Login method to be passed to call to vault_client.

vault_args

As an alternative to using login and ..., a list of (named) arguments can be provided here, equivalent to the full set of arguments that you might pass to vault_client. If provided, then login is ignored and if additional arguments are provided through ... an error will be thrown.

Value

List of properties with any vault secrets resolved.

Details

For each element of the data, if a string matches the form:

  VAULT:<path to secret>:<field>

then it will be treated as a vault secret and resolved. The <path to get> will be something like /secret/path/password and the <field> the name of a field in the key/value data stored at that path. For example, suppose you have the data list(username = "alice", password = "s3cret!") stored at /secret/database/user, then the string

  VAULT:/secret/database/user:password

would refer to the value s3cret!

Examples


server <- vaultr::vault_test_server(if_disabled = message)
#> ...waiting for Vault to start
#> ...waiting for Vault to start

if (!is.null(server)) {
  client <- server$client()
  # The example from above:
  client$write("/secret/database/user",
               list(username = "alice", password = "s3cret!"))

  # A list of data that contains a mix of secrets to be resolved
  # and other data:
  x <- list(user = "alice",
            password = "VAULT:/secret/database/user:password",
            port = 5678)

  # Explicitly pass in the login details and resolve the secrets:
  vaultr::vault_resolve_secrets(x, login = "token", token = server$token,
                                addr = server$addr)

  # Alternatively, if appropriate environment variables are set
  # then this can be done more easily:
  if (requireNamespace("withr", quietly = TRUE)) {
    env <- c(VAULTR_AUTH_METHOD = "token",
             VAULT_TOKEN = server$token,
             VAULT_ADDR = server$addr)
    withr::with_envvar(env, vault_resolve_secrets(x))
  }
}
#> Verifying token
#> Verifying token
#> $user
#> [1] "alice"
#> 
#> $password
#> [1] "s3cret!"
#> 
#> $port
#> [1] 5678
#>