Hashicorp Vault
Authentication & Configuration
Authenticating with vault
CLI is enough. You can also use environment variables
VAULT_ADDR=https://vault.company.org
VAULT_TOKEN="xxx"
Or specify address or token path in .novops.yml
via root config
element
config:
hashivault:
address: http://localhost:8200
token_path: /path/to/token
Hashicorp Vault uses tokens for authenticated entities. You can use any authentication method (vault login
, web UI/API...) to get a valid token.
Novops will load token in this order:
VAULT_TOKEN
environment variabletoken_path
in.novops.yml
- Local file
~/.vault-token
(generated by default withvault login
)
Generally, VAULT_*
environment variables available for vault
CLI will also work with Novops.
AWS Secret Engine
AWS Secret Engine generates temporary STS credentials. Maps directly to Generate Credentials API.
Outputs environment variables used by most AWS SDKs and tools:
AWS_ACCESS_KEY_ID
AWS_SECRET_ACCESS_KEY
AWS_SESSION_TOKEN
environments:
dev:
hashivault:
aws:
mount: aws
name: dev_role
role_arn: arn:aws:iam::111122223333:role/dev_role
role_session_name: dev-session
ttl: 2h
Key Value v2
Hashicorp Vault Key Value Version 2 with variables and files:
environment:
dev:
variables:
- name: APP_PASSWORD
value:
hvault_kv2:
mount: "secret"
path: "myapp/dev/creds"
key: "password"
files:
- name: SECRET_TOKEN
dest: .token
content:
hvault_kv2:
path: "myapp/dev/creds"
key: "token"
Key Value v1
Hashicorp Vault Key Value Version 1 with variables and files:
environments:
dev:
variables:
- name: APP_PASSWORD
value:
hvault_kv1:
path: app/dev
key: password
mount: kv1 # Override secret engine mount ('secret' by default)
files:
- variable: APP_TOKEN
content:
hvault_kv1:
path: app/dev
key: token