Environment Variables Vault

Configuration

Storing secrets in environment variables is a common way as they can be injected at build time. There is no prior configuration needed.

Examples

Define a secret in a environment variable:

  1. export MY_SECRET_VALUE=EXAMPLE_VALUE

We can now reference this secret

  1. {vault://env/my-secret-value}

You can also define a json string if you want to store multiple secrets in a single environment variable.

  1. export PG_CREDS='{"username":"user", "password":"pass"}'

This allows you to do

  1. {vault://env/pg-creds/username}
  2. {vault://env/pg-creds/password}

Entity

The Vault entity can only be used once the database is initialized. Secrets for values that are used before the database is initialized can’t make use of the Vaults entity.

Admin API

Declarative configuration

cURL

HTTPie

  1. curl -i -X PUT http://HOSTNAME:8001/vaults/my-env-vault \
  2.   --data name=env \
  3.   --data description="Store secrets in environment variables"
  1. http -f PUT :8001/vaults/my-env-vault \
  2.   name="env" \
  3.   description="Store secrets in environment variables"

Result:

  1. {
  2.     "config": {
  3.         "prefix": null
  4.     },
  5.     "created_at": 1644942689,
  6.     "description": "Store secrets in environment variables",
  7.     "id": "2911e119-ee1f-42af-a114-67061c3831e5",
  8.     "name": "env",
  9.     "prefix": "my-env-vault",
  10.     "tags": null,
  11.     "updated_at": 1644942689
  12. }

Secrets management is supported in decK 1.16 and later.

Add the following snippet to your declarative configuration file:

  1. _format_version: "3.0"
  2. vaults:
  3. - config:
  4.     prefix: null
  5.   description: Store secrets in environment variables
  6.   name: env
  7.   prefix: my-env-vault

With the entity in place you can reference secrets like this:

  1. {vault://my-env-vault/my-secret-value}