Use vault to resolve secrets. This is a convenience function that wraps a pattern that we have used in a few applications of vault. The idea is to allow replacement of data in configuration with special strings that indicate that the string refers to a vault secret. This function resolves those secrets.
Arguments
- x
List of values, some of which may refer to vault secrets (see Details for pattern). Any values that are not strings or do not match the pattern of a secret are left as-is.
- ...
Args to be passed to vault_client call.
- login
Login method to be passed to call to vault_client.
- vault_args
As an alternative to using
login
and...
, a list of (named) arguments can be provided here, equivalent to the full set of arguments that you might pass to vault_client. If provided, thenlogin
is ignored and if additional arguments are provided through...
an error will be thrown.
Details
For each element of the data, if a string matches the form:
:<path to secret>:<field> VAULT
then it will be treated as a vault secret and resolved. The
<path to get>
will be something like
/secret/path/password
and the <field>
the name of a
field in the key/value data stored at that path. For example,
suppose you have the data list(username = "alice", password = "s3cret!")
stored at /secret/database/user
, then the
string
:/secret/database/user:password VAULT
would refer to the value s3cret!
Examples
server <- vaultr::vault_test_server(if_disabled = message)
#> ...waiting for Vault to start
#> ...waiting for Vault to start
if (!is.null(server)) {
client <- server$client()
# The example from above:
client$write("/secret/database/user",
list(username = "alice", password = "s3cret!"))
# A list of data that contains a mix of secrets to be resolved
# and other data:
x <- list(user = "alice",
password = "VAULT:/secret/database/user:password",
port = 5678)
# Explicitly pass in the login details and resolve the secrets:
vaultr::vault_resolve_secrets(x, login = "token", token = server$token,
addr = server$addr)
# Alternatively, if appropriate environment variables are set
# then this can be done more easily:
if (requireNamespace("withr", quietly = TRUE)) {
env <- c(VAULTR_AUTH_METHOD = "token",
VAULT_TOKEN = server$token,
VAULT_ADDR = server$addr)
withr::with_envvar(env, vault_resolve_secrets(x))
}
}
#> Verifying token
#> Verifying token
#> $user
#> [1] "alice"
#>
#> $password
#> [1] "s3cret!"
#>
#> $port
#> [1] 5678
#>