Crate config_vault_source

Crate config_vault_source 

Source
Expand description

§config-vault-source

config-vault-source is an extension for the config crate that allows loading configuration values directly from HashiCorp Vault.

This crate provides:

  • Support for KV1 and KV2 Vault engines
  • Optional TLS support (via the tls feature)
  • Optional async loading (via the async feature)
  • Automatic flattening of nested JSON secrets into config keys
  • A clean and ergonomic Builder API

It is designed as a drop-in additional Source (or AsyncSource) for the config crate and works the same way as other config sources.

§✨ Example (Synchronous)

use config::Config;
use config_vault_source::VaultSource;

fn load_config() -> Result<Config, config::ConfigError> {
    let vault = VaultSource::builder()
        .address("http://127.0.0.1:8200")
        .token("hvs.EXAMPLE_TOKEN")
        .mount("secret")
        .path("dev")
        .build()?;

    let config = Config::builder()
        .add_source(vault)
        .build()?;

    Ok(config)
}

§⚡ Example (Asynchronous)

Requires:

config-vault-source = { version = "...", features = ["async"] }
use config_vault_source::VaultSource;

pub async fn get_configuration_async() -> Result<Settings, config::ConfigError> {
    let vault_async_source = VaultSource::builder()
        .address(std::env::var("VAULT_ADDR").unwrap_or("http://0.0.0.0:8200".into()))
        .token(std::env::var("VAULT_TOKEN").unwrap_or("root".into()))
        .mount(std::env::var("VAULT_MOUNT").unwrap_or("secret".into()))
        .path(std::env::var("VAULT_PATH").unwrap_or("dev".into()))
        .build()?;

    let settings = config::Config::builder()
        .add_source(config::File::with_name("config"))
        .add_async_source(vault_async_source)
        .build()
        .await?;

    settings.try_deserialize()
}

§🔐 TLS Support

Enable the tls feature:

config-vault-source = { version = "...", features = ["tls"] }

Builder options become available for CA certificates, client certificates, client keys, and allowing invalid certs (development mode).

§🧩 KV Engine Support

By default the source uses KV2.
To use KV1, call:

let vault = VaultSource::builder()
    .kv_version(KvVersion::V1)
    // ...
    .build()?;

§📦 Flattening of Nested Secrets

Vault secrets like:

{
  "database": {
      "host": "localhost",
      "port": 5432
  }
}

automatically become:

database.host = "localhost"
database.port = 5432

This makes them compatible with config merging and with serde deserialization.

For full usage examples, see the README or the builder documentation.

Re-exports§

pub use builder::VaultSourceBuilder;

Modules§

builder

Structs§

VaultAddr
VaultConfig
VaultSource
A Source for the config library that loads configurations from HashiCorp Vault.

Enums§

KvVersion