Lightweight, simple Go library for Vault secret reading (http API).
Connect to Vault through app role or token.
Reads kv secret values
- Connect to Vault through app role
- Read Vault secret,
kvtype (v1 or v2 "versioned") - Automatically renew token
- Execute any HTTP request on Vault (RawRequest)
Configuration can be done through env variables or programmatically through the Config object
The following env variables are supported:
VAULT_ADDR # Vault server URL (default "http://localhost:8200")
VAULT_CACERT # Path to CA file
VAULT_TOKEN # Vault Token
VAULT_ROLEID # Vault app role id
VAULT_SECRETID # Vault app role secret id
VAULT_MOUNTPOINT # Vault app role mountpoint (default "approle")
VAULT_CLIENT_TIMEOUT # Client timeout
VAULT_SKIP_VERIFY # Do not check SSLIf not set, vaultlib will fallback to safe default values.
vautlibwill automatically use the http_proxy environment variable to connect to Vault
For a simple, working example, check the sample folder.
package main
import (
"fmt"
"log"
"os"
vault "github.com/mch1307/vaultlib"
)
func main() {
// Config can be set through ENV before invoking NewConfig
os.Setenv("VAULT_ADDR", "http://localhost:8200")
// Create a new config. Reads env variables, fallback to default value if needed
vcConf := vault.NewConfig()
// Config can also be done programmtically
vcConf.Address = "http://localhost:8200"
// set app role credentials (ie after reading from docker secret)
// vcConf.AppRoleCredentials.RoleID = "myRoleID"
// vcConf.AppRoleCredentials.SecretID = "mySecretID"
// if you have set a different mountpoint from "approle" :
// vcConf.AppRoleCredentials.MountPoint = "myCustomMountPoint"
// Create new client
vaultCli, err := vault.NewClient(vcConf)
if err != nil {
log.Fatal(err)
}
// Get the Vault secret data
kv, err := vaultCli.GetSecret("my_kv/my_org/my_secret")
if err != nil {
fmt.Println(err)
}
for k, v := range kv.KV {
fmt.Printf("secret %v: %v\n", k, v)
}
}