credentials: Fetch secrets from the environment or from Vault
A twelve-factor app (as popularized by Heroku) would normally store any passwords or other secrets in environment variables. The alternative would be to include the passwords directly in the source code, which would make it much easier to accidentally reveal them to the world.
Wherever you choose to store your secrets, this library is intended to provide a single, unified API:
By default, this will return the values of the
EXAMPLE_PASSWORD environment variables.
To fetch the secrets from Vault, you will first need to set up the same
things you would need to use the
vault command line tool or the
- You need to set the
VAULT_ADDRenvironment variable to the URL of your Vault server.
- You can store your Vault token in either the environment variable
VAULT_TOKENor the file
Let's assume you have the following secret stored in your vault:
vault write secret/example username=myuser password=mypass
To access it, you'll need to create a
Secretfile in the directory from
which you run your application:
# Comments are allowed. EXAMPLE_USERNAME secret/example:username EXAMPLE_PASSWORD secret/example:password
If you have per-environment secrets, you can interpolate environment
variables into the path portion of the
PG_USERNAME postgresql/$VAULT_ENV/creds/readonly:username PG_PASSWORD postgresql/$VAULT_ENV/creds/readonly:password
As before, you can access these secrets using:
credentials::var("EXAMPLE_USERNAME").unwrap(); credentials::var("EXAMPLE_PASSWORD").unwrap(); credentials::var("PG_USERNAME").unwrap(); credentials::var("PG_PASSWORD").unwrap();
examples directory for complete, working code.
The following features remain to be implemented:
- Honor Vault TTLs.
- Keywhiz support. The big obstacle here is that I can't get Keywhiz
keystore stuff working correctly using
Your feedback and contributions are welcome! Just file an issue or send a GitHub pull request.