nixops icon indicating copy to clipboard operation
nixops copied to clipboard
verified publisher icon NixOS

Vault Integration for Secrets

Open grahamc opened this issue 5 years ago • 5 comments

Two things to consider:

  1. A way for Vault to provide deployment.keys secrets
  2. A way for Vault to provide tokens for nixops-aws and other plugins, instead of reading from the environment.

We should consider if we want to do these at all, and also if we should make its behavior something a plugin could provide.

grahamc avatar Apr 20 '20 14:04 grahamc

This project might be relevant as well: https://github.com/Mic92/sops-nix Sops has vault integration to decrypt keys.

Mic92 avatar Jul 24 '20 22:07 Mic92

This could be split up into two changes, one to define the whole network via the module system, the other to add a resource similar to commandOutput, but which doesn't store a value in the state file. Using these two, this can be implemented completely in Nix, at least for (1). For (2) this may require plugins to provide thunks, so a tight integration with the interpreter, which is not possible with nix-instantiate. Writing a python binding for libexpr may be out of scope here, but you can chat with me about libexpr bindings though :)

roberth avatar Sep 16 '21 17:09 roberth

Would https://github.com/PsyanticY/nixops-vault be somehow helpful?

tewfik-ghariani avatar Sep 28 '21 11:09 tewfik-ghariani

This issue is mostly about getting secrets out of Vault at deployment time, whereas nixops-vault currently only supports the creation of resources inside vault; writing to vault. I suppose it could add support for a secret reading resource, which will enable (1), but perhaps not (2) just yet.

roberth avatar Sep 28 '21 12:09 roberth

That said, (1) is probably not what you want anyway. Vault Agent templating would be preferable in most setups.

roberth avatar Sep 28 '21 12:09 roberth