{"id":25115720,"url":"https://github.com/devops-rob/vault-plugin-waypoint-secrets-engine","last_synced_at":"2025-04-02T11:41:22.423Z","repository":{"id":110463119,"uuid":"487399794","full_name":"devops-rob/vault-plugin-waypoint-secrets-engine","owner":"devops-rob","description":null,"archived":false,"fork":false,"pushed_at":"2022-06-17T16:13:15.000Z","size":31,"stargazers_count":1,"open_issues_count":0,"forks_count":1,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-02-08T02:35:28.776Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/devops-rob.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2022-04-30T23:05:24.000Z","updated_at":"2022-05-11T12:07:51.000Z","dependencies_parsed_at":null,"dependency_job_id":"cb38599f-ddc0-42f7-a955-bc9c0564ba70","html_url":"https://github.com/devops-rob/vault-plugin-waypoint-secrets-engine","commit_stats":null,"previous_names":[],"tags_count":1,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/devops-rob%2Fvault-plugin-waypoint-secrets-engine","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/devops-rob%2Fvault-plugin-waypoint-secrets-engine/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/devops-rob%2Fvault-plugin-waypoint-secrets-engine/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/devops-rob%2Fvault-plugin-waypoint-secrets-engine/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/devops-rob","download_url":"https://codeload.github.com/devops-rob/vault-plugin-waypoint-secrets-engine/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":246811183,"owners_count":20837745,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2025-02-08T02:33:48.970Z","updated_at":"2025-04-02T11:41:22.249Z","avatar_url":"https://github.com/devops-rob.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Waypoint Secrets Engine for HashiCorp Vault\n\nThe waypoint secrets engine generates user tokens dynamically for a Waypoint server. This means that services that need to access a Waypoint server no longer need to hardcode tokens.\n\nVault makes use both of its own internal revocation system to delete waypoint users when generating waypoint credentials to ensure that tokens become invalid within a reasonable time of the lease expiring.\n\n## Setup\n\nMost secrets engines must be configured in advance before they can perform their functions. These steps are usually completed by an operator or configuration management tool.\n\n\n1. Enable secrets engine:\n\n\n```shell\nvault secrets enable waypoint\n```\n\nBy default, the secrets engine will mount at the name of the engine. To enable the secrets engine at a different path, use the -path argument.\n\n\n2. Configure the credentials that Vault uses to communicate with waypoint to generate credentials:\n```shell\nvault write waypoint/config \\\n  addr=localhost:9701 \\\n  token=${WAYPOINT_TOKEN}\n```\n\n3. Configure a role that sets how long a token will be valid for:\n\n```shell\nvault write waypoint/role/my-role \\\n  ttl=180 \\\n  max_ttl=360 \n```\n\nBy writing to the roles/my-role path we are defining the my-role role. \n\n## Usage\n\nAfter the secrets engine is configured and a user/machine has a Vault token with the proper permission, it can generate credentials.\n\n1. Generate a new credential by reading from the /creds endpoint with the name of the role:\n```shell\nvault read waypoint/creds/my-role\n```\n\n## API\n\n### Setup\n\n1. Enable secrets engine\n\nSample request\n\n```shell\ncurl \\\n    -X POST \\\n    --header \"X-Vault-Token: ...\" \\\n    http://127.0.0.1:8200/v1/sys/mounts\n```\n\nSample payload\n\n```json\n{\n    \"type\": \"waypoint\"\n}\n```\n\n2. Configure the credentials that Vault uses to communicate with waypoint to generate credentials:\n\nSample request\n```shell\ncurl \\\n    -X POST \\\n    --header \"X-Vault-Token: ...\" \\\n    http://127.0.0.1:8200/v1/waypoint/config\n```\n\nSample payload\n```json\n{\n  \"addr\": \"localhost:9701\",\n  \"token\": \"insert waypoint token here\"\n}\n```\n\n3. Configure a role that maps a name in Vault to a waypoint scope and roles:\n\nSample request\n```shell\ncurl \\\n    -X POST \\\n    --header \"X-Vault-Token: ...\" \\\n    http://127.0.0.1:8200/v1/waypoint/role/my-role\n```\n\nSample payload\n```json\n{\n    \"ttl\": 180,\n    \"max_ttl\": 360\n}\n```\n\n### Usage\n\n1. Generate a new credential by reading from the /creds endpoint with the name of the role:\n\nSample request\n```shell\ncurl \\\n    -X GET \\\n    --header \"X-Vault-Token: ...\" \\\n    http://127.0.0.1:8200/v1/waypoint/creds/my-role\n```\n\nSample response\n```json\n{\n    \"request_id\": \"ed281bc6-182d-a15e-d700-8c2e64897010\",\n    \"lease_id\": \"waypoint/creds/my-role/pH9CfQcAmE9va6CwQKOEPBsx\",\n    \"renewable\": true,\n    \"lease_duration\": 180,\n    \"data\": {\n        \"token\": \"BCkP8cw7qjrzhTt46...\",\n        \"user_id\": \"01G1Y870WBTWR9JRTEGSQED6WZ\"\n    },\n    \"wrap_info\": null,\n    \"warnings\": null,\n    \"auth\": null\n}\n```\n\n## Terraform\n\n### Setup\n\n1. Enable secrets engine:\n\n```hcl\nresource \"vault_mount\" \"waypoint\" {\n  path        = \"waypoint\"\n  type        = \"waypoint\"\n  description = \"This is the waypoint secrets engine\"\n}\n```\n\n2. Configure the credentials that Vault uses to communicate with waypoint to generate credentials:\n\n```hcl\nresource \"vault_generic_endpoint\" \"waypoint_config\" {\n  depends_on           = [\n    vault_mount.waypoint\n  ]\n  \n  path                 = \"waypoint/config\"\n  ignore_absent_fields = true\n\n  data_json = \u003c\u003cEOT\n{\n  \"addr\": \"localhost:9701\",\n  \"token\": \"...\"\n}\nEOT\n}\n\n```\n\n3. Configure a role that maps a name in Vault to a waypoint scope and roles:\n\n```hcl\nresource \"vault_generic_endpoint\" \"waypoint_role\" {\n  depends_on           = [\n    vault_mount.waypoint\n  ]\n  \n  path                 = \"waypoint/role/my-role\"\n  ignore_absent_fields = true\n\n  data_json = \u003c\u003cEOT\n{\n    \"ttl\": 180,\n    \"max_ttl\": 360\n}\nEOT\n}\n```\n\n## Usage\n\n1. Generate a new credential by reading from the /creds endpoint with the name of the role:\n\n```hcl\ndata \"vault_generic_secret\" \"waypoint_creds\" {\n  path = \"waypoint/creds/my-role\"\n}\n\noutput \"creds\" {\n  value     = data.vault_generic_secret.waypoint_creds.data\n  sensitive = true\n}\n```\n\n2. Read the output from Terraform's state file:\n\n```shell\nterraform output creds\n```\n\nExample response:\n\n```\ntomap({\n  \"token\" = \"BCkP8cw7qjrzhTt46...\"\n  \"user_id\" = \"u_TxJs1IabfY\"\n})\n```\n\n## License\n\nLicensed under the Apache License, Version 2.0 (the \"License\").\n\nYou may obtain a copy of the License at apache.org/licenses/LICENSE-2.0.\n\nUnless required by applicable law or agreed to in writing, software distributed under the License is distributed on an \"AS IS\" basis, without WARRANTIES or conditions of any kind, either express or implied.\n\nSee the License for the specific language governing permissions and limitations under the License.","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdevops-rob%2Fvault-plugin-waypoint-secrets-engine","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdevops-rob%2Fvault-plugin-waypoint-secrets-engine","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdevops-rob%2Fvault-plugin-waypoint-secrets-engine/lists"}