Environment Variables Vault

This feature is released as and should not be deployed in a production environment.

Configuration

Storing secrets in environment variables is a common way as they can be injected at build time. There is no prior configuration needed.

Examples

Define a secret in a environment variable:

  1. export MY_SECRET_VALUE=opensesame

We can now reference this secret

  1. {vault://env/my-secret-value}

You can also define a json string if you want to store multiple secrets in a single environment variable.

  1. export PG_CREDS='{"username":"user", "password":"pass"}'

This allows you to do

  1. {vault://env/pg-creds/username}
  2. {vault://env/pg-creds/password}

Entity

The Vault entity can only be used once the database is initialized. Secrets for values that are used before the database is initialized can’t make use of the Vaults entity.

cURL

HTTPie

  1. curl -i -X PUT http://<hostname>:8001/vaults-beta/my-env-vault \
  2.         --data name=env \
  3.         --data description="Store secrets in environment variables"
  1. http PUT :8001/vaults-beta/my-env-vault \
  2.   name="env" \
  3.   description="Store secrets in environment variables" \
  4.   -f

Result:

  1. {
  2.     "config": {
  3.         "prefix": null
  4.     },
  5.     "created_at": 1644942689,
  6.     "description": "Store secrets in environment variables",
  7.     "id": "2911e119-ee1f-42af-a114-67061c3831e5",
  8.     "name": "env",
  9.     "prefix": "my-env-vault",
  10.     "tags": null,
  11.     "updated_at": 1644942689
  12. }

With the entity in place you can reference secrets like this:

  1. {vault://my-env-vault/my-secret-value}