vaultlib
vaultlib copied to clipboard
Lightweight Go client library for reading Vault kv secrets
vaultlib
Lightweight, simple Go library for Vault secret reading (http API).
Connect to Vault through app role or token.
Reads kv secret values
Features
- Connect to Vault through app role
- Read Vault secret,
kv
type (v1 or v2 "versioned") - Automatically renew token
- Execute any HTTP request on Vault (RawRequest)
Config
Configuration can be done through env variables or programmatically through the Config
object
The following env variables are supported:
VAULT_ADDR # Vault server URL (default "http://localhost:8200")
VAULT_CACERT # Path to CA file
VAULT_TOKEN # Vault Token
VAULT_ROLEID # Vault app role id
VAULT_SECRETID # Vault app role secret id
VAULT_MOUNTPOINT # Vault app role mountpoint (default "approle")
VAULT_CLIENT_TIMEOUT # Client timeout
VAULT_SKIP_VERIFY # Do not check SSL
If not set, vaultlib
will fallback to safe default values.
vautlib
will automatically use the http_proxy environment variable to connect to Vault
Getting Started
For a simple, working example, check the sample folder.
package main
import (
"fmt"
"log"
"os"
vault "github.com/mch1307/vaultlib"
)
func main() {
// Config can be set through ENV before invoking NewConfig
os.Setenv("VAULT_ADDR", "http://localhost:8200")
// Create a new config. Reads env variables, fallback to default value if needed
vcConf := vault.NewConfig()
// Config can also be done programmtically
vcConf.Address = "http://localhost:8200"
// set app role credentials (ie after reading from docker secret)
// vcConf.AppRoleCredentials.RoleID = "myRoleID"
// vcConf.AppRoleCredentials.SecretID = "mySecretID"
// if you have set a different mountpoint from "approle" :
// vcConf.AppRoleCredentials.MountPoint = "myCustomMountPoint"
// Create new client
vaultCli, err := vault.NewClient(vcConf)
if err != nil {
log.Fatal(err)
}
// Get the Vault secret data
kv, err := vaultCli.GetSecret("my_kv/my_org/my_secret")
if err != nil {
fmt.Println(err)
}
for k, v := range kv.KV {
fmt.Printf("secret %v: %v\n", k, v)
}
}