{"id":46051380,"url":"https://github.com/buddy/vault-plugin-secrets-engine-buddy","last_synced_at":"2026-03-01T09:02:29.834Z","repository":{"id":158169642,"uuid":"631922793","full_name":"buddy/vault-plugin-secrets-engine-buddy","owner":"buddy","description":"HashiCorp Vault Secrets Engine Plugin For Buddy","archived":false,"fork":false,"pushed_at":"2026-01-15T08:40:07.000Z","size":456,"stargazers_count":2,"open_issues_count":1,"forks_count":2,"subscribers_count":1,"default_branch":"main","last_synced_at":"2026-01-15T14:59:05.463Z","etag":null,"topics":["access-token","buddy","golang","vault","vault-plugin","vault-plugin-secrets-buddy","vault-plugin-secrets-engine-buddy"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mpl-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/buddy.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-04-24T10:47:59.000Z","updated_at":"2026-01-15T08:40:10.000Z","dependencies_parsed_at":null,"dependency_job_id":"b0cc7bb6-a89a-4f71-9af1-7e69f50db2e3","html_url":"https://github.com/buddy/vault-plugin-secrets-engine-buddy","commit_stats":null,"previous_names":["buddy/vault-plugin-secrets-buddy"],"tags_count":6,"template":false,"template_full_name":null,"purl":"pkg:github/buddy/vault-plugin-secrets-engine-buddy","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/buddy%2Fvault-plugin-secrets-engine-buddy","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/buddy%2Fvault-plugin-secrets-engine-buddy/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/buddy%2Fvault-plugin-secrets-engine-buddy/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/buddy%2Fvault-plugin-secrets-engine-buddy/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/buddy","download_url":"https://codeload.github.com/buddy/vault-plugin-secrets-engine-buddy/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/buddy%2Fvault-plugin-secrets-engine-buddy/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29965419,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-03-01T06:55:38.174Z","status":"ssl_error","status_checked_at":"2026-03-01T06:53:04.810Z","response_time":124,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["access-token","buddy","golang","vault","vault-plugin","vault-plugin-secrets-buddy","vault-plugin-secrets-engine-buddy"],"created_at":"2026-03-01T09:02:29.227Z","updated_at":"2026-03-01T09:02:29.827Z","avatar_url":"https://github.com/buddy.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# The [HashiCorp Vault](https://www.vaultproject.io) plugin for [Buddy](https://buddy.works).\n\n## Binaries\n\nPre-built binaries for Linux, macOS and Windows can be found in the [releases directory](https://github.com/buddy/vault-plugin-secrets-engine-buddy/releases). For other platforms, there are currently no pre-built binaries available.\n\nTo compile a new binary, clone this repository and run `make` from the project directory.\n\n## Vault installation\n\nThe HashiCorp Vault plugin system is documented on the HashiCorp's [Vault documentation site](https://www.vaultproject.io/docs/internals/plugins.html).\n\nTo install the vault, define the plugin directory using the `plugin_directory` configuration directive and place the `vault-plugin-secrets-engine-buddy` executable in that directory.\n\nExample commands for registering and starting the plugin:\n\n```sh\n$ vault plugin register \\\n    -sha256=$(openssl sha256 \u003c vault-plugin-secrets-engine-buddy) \\\n    -command=\"vault-plugin-secrets-engine-buddy\" \\\n    secret buddy\nSuccess! Registered plugin: buddy\n\n$ vault secrets enable buddy\nSuccess! Enabled the buddy secrets engine at: buddy/\n```\n\n## Root token configuration\n\n### Generating token\n\nTo create short-lived tokens, you first need to configure a [root token in Buddy](https://buddy.works/docs/api/getting-started/oauth2/personal-access-token). The root token must have the scope `TOKEN_MANAGE`:\n\n\u003cimg src=\"/root-token-config.png\" width=\"450\"\u003e\n\n\u003e**Note**\n\u003eYou can fortify your tokens by allowing access from selected IP's and/or workspace domains.\n\n\u003e**Warning**\n\u003eIt is not possible to set `ip_restrictions` and `workspace_restrictions` in the vault token if they are already defined in the root token – the restrictions are automatically inherited from root to child tokens.\n\n### Saving to vault\n\nOnce generated, copy the value of the token and save it to the vault:\n\n```sh\n$ vault write buddy/config token=ROOT_TOKEN\nSuccess! Data written to: buddy/config\n```\n\nAvailable options:\n\n- `token_auto_rotate` – enables auto-rotation of the root token one day before the expiration date. If an error is encountered, the plugin will reattempt to rotate the token on every hour until it eventually expires.\n\n    \u003e **Warning**\n    \u003e If no auto-rotation is set, the token should be generated with no expiration date.\n\n- `token_ttl_in_days` – the lease time of the rotated root token in days. Default: `30`. Min: `2`\n- `base_url` – the Buddy API base URL. You may need to set this in your Buddy On-Premises API endpoint. Default: `https://api.buddy.works`\n- `insecure` – disables the SSL verification of the API calls. You may need to set this to `true` if you are using Buddy On-Premises without a signed certificate. Default: `false`\n\n### Rotating root token\n\nUpdates the root credentials used for communication with Buddy. Rotating the root token removes the old one. To rotate the token, run\n\n```sh\n$ vault write -f buddy/rotate-root\nSuccess! Data written to: buddy/rotate-root\n```\n\n## Vault token configuration\n\n### Creating token role\n\nTo create a role for the token, run `vault write buddy/roles/ROLE_NAME` with the lease time and scopes.\n\nExample command for creating the RUN_PIPELINE role:\n\n```sh\n$ vault write buddy/roles/run_pipeline \\\n    ttl=30 \\\n    scopes=WORKSPACE,EXECUTION_RUN\nSuccess! Data written to: buddy/roles/run_pipeline   \n```\n\nAvailable options:\n\n- `ttl` – the default lease time for the generated token after which the token is automatically revoked. If not set or set to `0`, system default is used.\n- `max_ttl` – the maximum time the generated token can be extended to before it eventually expires. If not set or set to `0`, system default is used.\n- `scopes` – the [list of scopes](https://buddy.works/docs/api/getting-started/oauth2/introduction#supported-scopes) in the role, comma-separated.\n- `ip_restrictions` – the list of IP addresses to which the token is restricted, comma-separated. Leave blank if already defined in the root token (the restrictions are automatically inherited).\n- `workspace_restrictions` – the list of workspace domains to which the token is restricted, comma-separated. Leave blank if already defined in the root token (the restrictions are automatically inherited).\n\n### Generating role credentials\n\nTo generate new credentials, run `vault read buddy/creds/ROLE_NAME`:\n\n```sh\n$ vault read buddy/creds/run_pipeline\nKey                Value\n---                -----\nlease_id           buddy/creds/run_pipeline/EUwKywNTUy7Msa6jWs3FR8Fq\nlease_duration     30s\nlease_renewable    true\ntoken              5d225d46-c361-4b3f-ba84-9d83891313a0\n```\n\n### Extend/Revoke\n\nTo extend the lease time of the token, run\n```sh\n$ vault lease renew $lease_id\n```\n\nTo revoke the token, run\n```sh\n$ vault lease revoke $lease_id\n```\n\n### Saving into variable\n\nTo save the token into an environment variable, run\n\n```sh\n$ TOKEN=$(vault read -format=json buddy/creds/run_pipeline | jq -r .data.token)\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbuddy%2Fvault-plugin-secrets-engine-buddy","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fbuddy%2Fvault-plugin-secrets-engine-buddy","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbuddy%2Fvault-plugin-secrets-engine-buddy/lists"}