Hashicorp Vault
Authentication & Configuration
Authenticating with vault CLI is enough. You can also use environment variables
VAULT_ADDR=https://vault.company.org
VAULT_TOKEN="xxx"
Or specify address or token path in .novops.yml via root config element
config:
hashivault:
address: http://localhost:8200
token_path: /path/to/token
Hashicorp Vault uses tokens for authenticated entities. You can use any authentication method (vault login, web UI/API...) to get a valid token.
Novops will load token in this order:
VAULT_TOKENenvironment variabletoken_pathin.novops.yml- Local file
~/.vault-token(generated by default withvault login)
Generally, VAULT_* environment variables available for vault CLI will also work with Novops.
AWS Secret Engine
AWS Secret Engine generates temporary STS credentials. Maps directly to Generate Credentials API.
Outputs environment variables used by most AWS SDKs and tools:
AWS_ACCESS_KEY_IDAWS_SECRET_ACCESS_KEYAWS_SESSION_TOKEN
environments:
dev:
hashivault:
aws:
mount: aws
name: dev_role
role_arn: arn:aws:iam::111122223333:role/dev_role
role_session_name: dev-session
ttl: 2h
Key Value v2
Hashicorp Vault Key Value Version 2 with variables and files:
environment:
dev:
variables:
- name: APP_PASSWORD
value:
hvault_kv2:
mount: "secret"
path: "myapp/dev/creds"
key: "password"
files:
- name: SECRET_TOKEN
dest: .token
content:
hvault_kv2:
path: "myapp/dev/creds"
key: "token"
Key Value v1
Hashicorp Vault Key Value Version 1 with variables and files:
environments:
dev:
variables:
- name: APP_PASSWORD
value:
hvault_kv1:
path: app/dev
key: password
mount: kv1 # Override secret engine mount ('secret' by default)
files:
- variable: APP_TOKEN
content:
hvault_kv1:
path: app/dev
key: token