vault icon indicating copy to clipboard operation
vault copied to clipboard
verified publisher icon hashicorp

Support Config File for Vault Client

Open dragonndev opened this issue 10 years ago • 11 comments

When using vault as a client app (when unsealing for example) it would be nice if you could specify a client config like you can for the server config. Having to specify the address and ca-cert path variables on each CLI call is rather cumbersome.

dragonndev avatar May 20 '15 21:05 dragonndev

Great idea! Tagged!

armon avatar May 20 '15 21:05 armon

An easy solution you may consider is creating a script and sourcing it before using the client.

#!/bin/bash
export VAULT_CAPATH=XXX
export VAULT_TOKEN=XXX
export VAULT_ADDR=XXX

chmod 640 vaultrc
source vaultrc
vault unseal XXX

Obviously putting your token in plaintext on the filesystem isn't the most secure method in the world, but setting filesystem permissions helps a bit.

This technique is commonly used for "configuring" CLI clients, especially in the OpenStack ecosystem.

ianunruh avatar May 20 '15 23:05 ianunruh

Is there any news on this issue?

rhoml avatar Feb 29 '16 04:02 rhoml

@rhoml No news yet, sorry.

jefferai avatar Feb 29 '16 12:02 jefferai

I think a great approach to this can be if we could expand .vault-token file capabilities. Currently I just load this parameters using a zsh function.

rhoml avatar Apr 19 '16 23:04 rhoml

+1, I made a shell script (as ianunruh) to set these and sent them out to the team. I then got asked for a .cmd windows version, then a powershell version, then a cygwin version. The HCL format of the settings reduces some this (albeit small) problem.

I also would like to specify an externalTokenHelper for the client and don't see how to do this without the client using a config file.

stvdilln avatar Jun 07 '16 14:06 stvdilln

Hi! Is this solved by the Vault agent config file? https://www.vaultproject.io/docs/agent/index.html. The agent is an automated Vault client that pushes a token out to somewhere easy for you to consume from another application. Currently it pushes tokens out to a file.

tyrannosaurus-becks avatar Dec 20 '19 23:12 tyrannosaurus-becks

Any environment export statement that's required to be set in the shell of most common Operating Systems are only a single line - eg:

  • Linux / bash:

    export VAULT_ADDR=… VAULT_TOKEN=… VAULT_CAPATH=… ;
# // we continue with using vault

  • Windows / powershell:

    $env:VAULT_ADDR="…" ; $env:VAULT_TOKEN="…" ; $env:VAULT_CAPATH="…" ;
# // we continue with using vault

What's am I not getting? - Is this issue still applicable?

aphorise avatar Aug 09 '20 00:08 aphorise

A config file would still be helpful. It'd be very slick to have the concept of "contexts" (like in kubectl), but even a static config file could be swapped out by some sort of vaultctx-like tool to provide the same multi-context functionality.

oliverisaac avatar Feb 05 '21 15:02 oliverisaac

@dragonndev (@oliverisaac & others too) - Hey I was curious how of this request may be possible using:

PS - May be related to #7159 & #2092

aphorise avatar Sep 01 '22 16:09 aphorise

hi guys, any progress here?

melezhik avatar Nov 17 '22 23:11 melezhik

Additional to what I mentioned earlier

joemiller/vault-token-helper

there's also:

I personally am of the opinion that this request should be closed especially if it's not going to be developed prior to it's 10th year anniversary :-)

aphorise avatar Sep 19 '23 10:09 aphorise

I would like a config file that allows me to update the defaults for login parameters.

For example, I wish I didn't have to set the oidc addresses when logging in on a remote VM with OIDC method:

vault login -method=oidc listenaddress="..." callbackhost="..."

https://support.hashicorp.com/hc/en-us/articles/15874139143955-OIDC-Login-via-CLI-on-a-Headless-Server https://developer.hashicorp.com/vault/docs/auth/jwt#oidc-login-cli

Extending the ~/.vault config file would be ideal: https://developer.hashicorp.com/vault/docs/commands/token-helper

cognifloyd avatar Dec 07 '23 21:12 cognifloyd