{"id":31904156,"url":"https://github.com/cloudfoundry-community/vault-broker","last_synced_at":"2025-10-13T13:47:46.737Z","repository":{"id":57557323,"uuid":"58023340","full_name":"cloudfoundry-community/vault-broker","owner":"cloudfoundry-community","description":"A Cloud Foundry Service Broker for Vault Secure Storage","archived":false,"fork":false,"pushed_at":"2018-09-24T20:56:53.000Z","size":88,"stargazers_count":20,"open_issues_count":1,"forks_count":3,"subscribers_count":39,"default_branch":"master","last_synced_at":"2024-06-20T13:34:58.771Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/cloudfoundry-community.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2016-05-04T04:43:12.000Z","updated_at":"2024-02-09T14:24:05.000Z","dependencies_parsed_at":"2022-09-07T23:51:03.000Z","dependency_job_id":null,"html_url":"https://github.com/cloudfoundry-community/vault-broker","commit_stats":null,"previous_names":[],"tags_count":2,"template":false,"template_full_name":null,"purl":"pkg:github/cloudfoundry-community/vault-broker","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cloudfoundry-community%2Fvault-broker","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cloudfoundry-community%2Fvault-broker/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cloudfoundry-community%2Fvault-broker/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cloudfoundry-community%2Fvault-broker/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/cloudfoundry-community","download_url":"https://codeload.github.com/cloudfoundry-community/vault-broker/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cloudfoundry-community%2Fvault-broker/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":279015339,"owners_count":26085685,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-10-13T02:00:06.723Z","response_time":61,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2025-10-13T13:47:40.662Z","updated_at":"2025-10-13T13:47:46.731Z","avatar_url":"https://github.com/cloudfoundry-community.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"Vault Service Broker\n====================\n\n[Vault][vault] is a secure credentials storage system from the\nfine people over at [Hashicorp][hashicorp].  If you work with\n[Cloud Foundry][cf] and [BOSH][bosh], you've probably already\nmet the [Vault BOSH release][release] over at\n[cloudfoundry-community][cfc].\n\nWouldn't it be awesome if you could use Vault from your Cloud\nFoundry applications?\n\nNow you can!\n\nYes indeed, this here is a _bona fide_ service broker for Vault,\nready to be dropped into your Cloud Foundry and bound to your\napplications.\n\n\nGetting Started\n---------------\n\nBefore you can do anything, you need a running service broker\nsomewhere.  The easiest way to do this is to push the broker\nitself as a CF application:\n\n```\ncf push vault-broker -m 128M -k 256M --no-start\ncf set-env vault-broker VAULT_ADDR  \"${url}\"\ncf set-env vault-broker VAULT_TOKEN \"${token}\"\ncf start vault-broker\n```\n\nThen, tell Cloud Foundry where the broker is...\n\n```\ncf create-service-broker vault ${user} ${pass} ${app_url}\n```\n\n(note that `${user}` and `${pass}` will both default to `vault`)\n\nNow, assuming you want to create a service named \"secrets\", and\nattach it to an app named \"password-manager\":\n\n```\ncf create-service vault shared secrets\ncf bind-service password-manager secrets\ncf restage password-manager\n```\n\nAll set!\n\n\nHow it Works\n------------\n\nEach service provisioned results in a new policy, keyed to the\ninstance ID.  This policy grants full access to a subset of the\nVault `secret/` backend hierarchy.\n\nWhen you bind the service to an application, the broker allocates\na new access token for the application to use, and then grants it\naccess to the services little corner of Vault.  This allows\nmultiple apps to share a space for secret credentials.\n\nFor example, if you create a service named 'secrets', and Cloud\nFoundry gives that service the GUID `1234`, the broker will:\n\n1. Create a policy named `1234`, that allows read / write / sudo\n   access to the `/secret/1234` path (and everything below).\n\n(that's it)\n\nWhen that service is bound to an application, Cloud Foundry\nassigns it a _binding ID_.  Let's assume that that binding ID is\n`ethel`.  The broker will:\n\n1. Create a new access token (assume its \"flibbertygibbet\")\n2. Associate \"flibbertygibbet\" with the `1234` policy\n3. Return the credentials to Cloud Foundry, which consist of:\n   - **token** - The access token (\"flibbertygibbet\")\n   - **vault** - The URL to the Vault (see `$VAULT_ADVERTISE_ADDR`,\n     in the _Configuration_ section)\n   - **vaults** - The Vault URLs used for HA (see `$VAULT_ADVERTISE_ADDR`,\n     in the _Configuration_ section)\n   - **root**  - The root path under which to create secrets.  In\n     this example, that will be `secret/1234`\n4. Record the token in an accounting record, at\n   `secret/acct/1234/ethel`.\n\nWhen a service is unbound, (`cf unbind-service`) the associated\ntoken is revoked, hence the account records!\nSee?  It's all coming together!\n\nWhen the service is deprovisioned (`cf delete-service`), the\npolicy will be removed, and all secrets stored under that services\npart of the Vault hierarchy are summarily removed.\n\n\nConfiguration\n-------------\n\nThe Vault Broker is configured entirely through environment\nvariables:\n\n  - **$BROKER_GUID** - GUID to use when registering the broker\n    with Cloud Foundry.  Defaults to `f89443a4-ae71-49b0-b726-23ee9c98ae6d`\n  - **$SERVICE_NAME** - Name of the service, as shown in the\n    marketplace.  Defaults to `vault`\n  - **$SERVICE_DESC** - A description of the service, also for the\n    marketplace.  Defaults to `Vault Secure Storage`\n  - **$SERVICE_TAGS** - A set of tags for the service, each\n    separated by a comma followed by a space.  By default, no tags\n    are configured.\n  - **$AUTH_USERNAME** - The username for authenticating\n    with Cloud Foundry.  Defaults to `vault`.\n  - **$AUTH_PASSWORD** - The password for authenticating\n    with Cloud Foundry.  Also defaults to `vault`.\n  - **$VAULT_ADDR** - The address to use when accessing the Vault\n    to set up new policies and manage provisioned services.  This\n    variable is **required**\n  - **$VAULT_ADVERTISE_ADDR** - The address to hand out to bound\n    applications, along with their credentials.  This defaults to\n    `$VAULT_ADDR`, but can be set separately if you need or want\n    applications to access the Vault via DNS, or over a load\n    balancer.\n  - **$VAULT_ADDRS** - The addresses to use when accessing the Vault\n    to set up new policies and manage provisioned services.  This\n    variable is **required** for HA. If the first address in the list\n    is unavailable, the broker will failover to the other vaults in\n    the list for token renewel/issuing/etc. (Note: the application \n    bound to the broker must also be configured to fail over to the \n    other addresses in the list)\n  - **$VAULT_ADVERTISE_ADDRS** - The addresses to hand out to bound\n    applications, along with their credentials.  This defaults to\n    `$VAULT_ADDRS`, but can be set separately if you need or want\n    applications to access Vaults via DNS, or over load\n    balancers.\n  - **$VAULT_TOKEN** - The token that the service broker will use\n    when interacting with the Vault.  This variable is\n    **required**, and you probably want to set it to a root token.\n  - **$VAULT_SKIP_VERIFY** - Instructs the broker to ignore SSL/TLS\n    certificate problems (self-signedness, domain mismatch,\n    expiration, etc.).  Set this at your own risk.  Note that this\n    will not be propagated to bound applications.\n  - **$VAULT_REFRESH_INTERVAL** - How often, in minutes, should the\n    broker renew tokens it has issued.  Defaults to 30 (minutes).\n\n\n[vault]:     https://vaultproject.io\n[hashicorp]: https://hashicorp.com\n[cf]:        https://cloudfoundry.org\n[bosh]:      https://bosh.io\n[release]:   https://github.com/cloudfoundry-community/vault-boshrelease\n[cfc]:       https://github.com/cloudfoundry-community\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcloudfoundry-community%2Fvault-broker","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcloudfoundry-community%2Fvault-broker","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcloudfoundry-community%2Fvault-broker/lists"}