Vault Credential Server

This Go package provides a server for retrieving credentials from HashiCorp Vault. The server listens on a Unix socket and responds to requests for specific credentials.

This was the first time I've ever worked with Golang (and sockets) so please let me know where I could improve my code.

Features

Connects to a Vault server to fetch credentials.
Supports AppRole authentication method.
Automatically renews Vault tokens before they expire.

Requirements

Go 1.22 or higher.
HashiCorp Vault & AppRole policies allowing access to secrets
A Unix-based system (due to the use of Unix sockets).

Configuration

The server requires a configuration file in YAML format. The path to this file should be provided using the -config flag when running the server.

Example config.yml:

vault_server: http://localhost:8200
socket_location: /run/vault-credentials.socket
vault_approle: approle

approle_id: 0000-0000-0000-0000
secret_id_path: /etc/vault/secret_id

Installation

Clone the repository:

git clone https://github.com/strass/systemd-credentials-vault
cd vault-credential-server

Build the server:
```
go build .
```

Run the server:

./systemd-credentials-vault -config /path/to/config.yml

Usage

The server listens on a Unix socket specified in the configuration file. It accepts connections and processes requests in the format:

<service>/<credential>

or for generic secrets:

<mount>/<secret-name>/<key>

Example Requests

Via CLI

To get an AppRole Role ID:

echo -n "myservice/role-id" | nc -U /run/vault-credentials.socket

To get an AppRole Secret ID:

echo -n "myservice/secret-id" | nc -U /run/vault-credentials.socket

To get a generic secret:

echo -n "secrets/app_secret/password" | nc -U /run/vault-credentials.socket

Via Systemd Unit

LoadCredential=services.%N.secret:/run/vault-credentials.socket

Testing

Supply Vault URL and Token using environment variables: VAULT_ADDR= VAULT_TOKEN= go test. The test suite connects to Vault, creates an approle, and retrieves a secret via the agent.

Acknowledgments

Damomurf's systemd-credentials-vault: Provided a template and initial inspiration for extending this Golang application to be more versatile.
Medium article by Umglurf: Offered a Python script that was integrated into the original repository and guided further development.
arianvp's systemd creds has an example of how LoadCredentials sends its Network Addr

Name		Name	Last commit message	Last commit date
Latest commit History 23 Commits
.github/workflows		.github/workflows
.vscode		.vscode
.gitignore		.gitignore
Containerfile		Containerfile
LICENSE		LICENSE
README.md		README.md
config.go		config.go
config.yml		config.yml
go.mod		go.mod
go.sum		go.sum
main.go		main.go
main_test.go		main_test.go

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Repository files navigation

Vault Credential Server

Features

Requirements

Configuration

Installation

Usage

Example Requests

Via CLI

Via Systemd Unit

Testing

Acknowledgments

About

Releases

Packages

Languages

License

strass/systemd-credentials-vault

Folders and files

Latest commit

History

Repository files navigation

Vault Credential Server

Features

Requirements

Configuration

Installation

Usage

Example Requests

Via CLI

Via Systemd Unit

Testing

Acknowledgments

About

Resources

License

Stars

Watchers

Forks

Releases

Packages 0

Languages

Packages