These days even the smallest of startups have multiple applications (microservices), each application has its own needs, but common to all applications is they all have secrets they need to function correctly.
To all my clients, I recommend using Vault by Hashicorp to keep their secrets safe.
What is Vault?
"Secure, store, and tightly control access to tokens, passwords, certificates, encryption keys for protecting secrets and other sensitive data using a UI, CLI, or HTTP API." (from their website)
Why do people sometimes need convincing?
Most of the responses I get trying to implement such a service are
- We do not need such a service
- It will take too much time to apply, and it's time we don't have.
To help our clients implement the solution in a secure, quick way, we created a small Golang application that connects to Vault and pulls the secrets exposing them as environment variables.
I know it sounds simple; it is!
The application is vault-get.
How to use vault-get:
All our applications are Docker-based so when we create the Docker image we install vault-get into the container for use:
FROM SomeBaseImage
ADD https://github.com/devops-israel/vault-get/releases/download/v1.0.0/vault-get-linux-amd64 /usr/bin/vault-get-linux-amd64
RUN chmod +x /usr/bin/vault-get-linux-amd64 \
&& mv /usr/bin/vault-get-linux-amd64 /usr/bin/vault-get
WORKDIR /app
Adding the executable is downloading it and give it the right permissions.
Then all you need to do is expose the configuration and vault-get will fetch the secret and expose them as environment variables.
Usage Examples
# Using a token auth (--vault_auth token does not need to be set explicitly):
eval "$(vault-get --vault_host https://vault.example.com --vault_token mytoken --vault_path secret/my-secret)"
# Doing the same with a user and password authentication:
eval "$(vault-get --vault_host https://vault.example.com --vault_auth userpass --vault_username user --vault_password pass --vault_path secret/my-secret)"
vault-get has been in production for over 6 months and it helps us provide secure secret injection from Vault to our applications without any need to interact with the application, the app itself gets the environment variables it needs, it's just not aware of the provider 😉
A significant benefit we got from moving to Vault was the fact that the Devops team is not a bottleneck anymore, now developers can add the secrets their applications need by themselves, we'll talk about permissions on another post.
Either you need a tool like vault-get or not, securing your secrets is the best practice you can take.
Good Luck!
Top comments (0)