HashiCorp Vault is a security management platform used to manage access to sensitive data, such as encryption keys, authentication tokens and passwords. Vault helps ensure that sensitive data is stored securely, by granting access only to those with appropriate access rights.
Here we will try to use vault to be used to store dotenv files of an application or service. The prerequisite is that you have vault installed (in client too, ex: vm server / laptop, we will use vault cli) and root account
Create ACL policy
First, we should to create ACL policy that will be consume by user using root token.
In this example, later we will create an key value secrets in testing/… then we need to define path in the ACL policy. Create account with read-only policy too for apps / services.
Second, create user testing for admin and testing-ro for apps / services. We using “user password” method.
Attach user to policy that we have created earlier. In this section, we have to use vault cli because i doesn’t see attach policy configuration in web ui. don’t forget to use root token.
Enable secrets engine ‘testing’ useing root token
Now, we can use ‘testing’ user for create, read, update, and delete the secrets. login using ‘testing’ user.
Create an key value secret
Access using vault cli
we need login first, login with username that we create in earlier
access key value that we create
Save output to .env file
we can get output format to json and process with jq to get key=value output.
Great! now we can update .env through CI/CD pipeline using vault as secrets management