An earthly secret provider for Hashicorp Vault using the currently experimental secret_provider config field.
some-target:
RUN --secret VAULT_SECRET=+secrets/some/path.some_field \
echo "secret from vault at path 'some/path' with field 'some_field': $VAULT_SECRET"If you have Go 1.16+, you can directly install by running:
go install github.com/brumhard/earthly-secret-provider-vault/cmd/earthly-secret-provider-vault@latestBased on your go configuration the binary can be found in
$GOPATH/binor$HOME/go/binin case$GOPATHis not set. Make sure to add the respective directory to your$PATH.
For more information see go docs for further information. Rungo envto view your current configuration.
Download the desired version for your operating system and processor architecture from the releases page.
Make the file executable and place it in a directory available in your $PATH.
The secret provider is also distributed as docker images.
ghcr.io/brumhard/earthly-secret-provider-vault:vX.X.Xas a docker image based ondistroless:staticcontaining only the binaryghcr.io/brumhard/earthly-secret-provider-vault:vX.X.X-fullbased on the upstreamearthly/earthlyimage and already configured to use this secret provider. This can be used as a drop-in replacement for the earthly image in CI. Be aware that you still need to set vault specific configs (see setup)
The only things necessary to use the secret provider are installing it (see Installation section) and setting the earthly config by:
earthly config global.secret_provider "earthly-secret-provider-vault"Since the secret providers can't use any environment variables you also need to set some vault specific configs.
To not reimplement all authentication logic defined in the vault CLI the secret provider only uses a token that can be generated with the vault CLI.
This could look sth like the following for userpass authentication.
export VAULT_ADDR=<your-vault-addr>
vault login --method=userpass username=someone
earthly-secret-provider-vault config address $VAULT_ADDR
earthly-secret-provider-vault config token $(vault print token)An example Earthfile using the secret provider looks like the following:
VERSION 0.6
FROM golang:1.18-alpine
test:
RUN --no-cache --secret TEST=+secrets/path/to/secret.field \
echo "top secret $TEST"Be aware that the +secrets/ prefix is normally used for the cloud secret provider by earthly. If the secret is not found in the vault it will also be looked up in the earthly cloud.
The syntax to access a secret in vault is <vault-path>/<vault-subpath>.<field>.
The lookup that would happen in this example could be replicated with the following vault CLI command:
vault kv get -field field path/to/secretAll configuration options can be set either via the config subcommand as described above or in the configuration file that is placed at ~/.earthly/vault.yml by default. That is also the file that is edited by the config subcommand.
The following configuration options are available:
| Name | Description | Required |
|---|---|---|
address |
The address of the vault server. | x |
token |
The token to use for authentication. This can be generated with the vault CLI for example. earthly-secret-provider-vault will also try to read the token from ~/.vault-token which is used by the vault CLI to store a token after login. This is only used if the token is not set in the vault.yml. |
x |
prefix |
A prefix that is prepended to all paths that are looked up with the secret provider. For example if all your secrets are at root/cicd/ you can use that as prefix and only define the rest of the path in the Earthfile. E.g. if your full path is root/cicd/some_app/config.field and the prefix is root/cicd you can use the secret in earthly with --secret TEST=+secrets/some_app/config.field. |
earthly-secret-provider-vault provides a little CLI on top of the secret provider functionality.
This can be used to print the version and set config options.
For further information have a look at the CLI docs or run earthly-secret-provider-vault --help.