{"id":43183200,"url":"https://github.com/gitrgoliveira/vault-plugin-secrets-openai","last_synced_at":"2026-02-09T10:12:36.212Z","repository":{"id":296891997,"uuid":"947264245","full_name":"gitrgoliveira/vault-plugin-secrets-openai","owner":"gitrgoliveira","description":"OpenAI secrets engine for HashiCorp Vault","archived":false,"fork":false,"pushed_at":"2025-11-26T11:02:37.000Z","size":245,"stargazers_count":16,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-11-28T18:21:28.178Z","etag":null,"topics":["ai","artifical-intelligence","chatgpt","hashicorp-vault","openai","security"],"latest_commit_sha":null,"homepage":"https://www.hashicorp.com/en/blog/managing-openai-api-keys-with-hashicorp-vault-s-dynamic-secrets-plugin","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mpl-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/gitrgoliveira.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2025-03-12T12:16:16.000Z","updated_at":"2025-11-26T10:56:38.000Z","dependencies_parsed_at":"2025-06-03T06:08:55.341Z","dependency_job_id":"ce7adcc6-67b0-4d47-b24e-b2ddbc30c55f","html_url":"https://github.com/gitrgoliveira/vault-plugin-secrets-openai","commit_stats":null,"previous_names":["gitrgoliveira/vault-plugin-secrets-openai"],"tags_count":5,"template":false,"template_full_name":null,"purl":"pkg:github/gitrgoliveira/vault-plugin-secrets-openai","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/gitrgoliveira%2Fvault-plugin-secrets-openai","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/gitrgoliveira%2Fvault-plugin-secrets-openai/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/gitrgoliveira%2Fvault-plugin-secrets-openai/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/gitrgoliveira%2Fvault-plugin-secrets-openai/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/gitrgoliveira","download_url":"https://codeload.github.com/gitrgoliveira/vault-plugin-secrets-openai/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/gitrgoliveira%2Fvault-plugin-secrets-openai/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28967109,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-01T03:46:10.227Z","status":"ssl_error","status_checked_at":"2026-02-01T03:46:01.693Z","response_time":56,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ai","artifical-intelligence","chatgpt","hashicorp-vault","openai","security"],"created_at":"2026-02-01T04:04:11.443Z","updated_at":"2026-02-01T04:04:12.149Z","avatar_url":"https://github.com/gitrgoliveira.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Vault OpenAI Secrets Plugin\n\nA HashiCorp Vault plugin for dynamic, secure management of OpenAI service accounts and API keys using the OpenAI Admin API. This plugin enables you to create, rotate, and revoke OpenAI project service accounts and API keys on demand, with full automation and security best practices.\n\nThis plugin was developed and tested with Vault 1.19.4.\n\n\u003e [!IMPORTANT]\n\u003e Use at your own risk and conduct your own testing before deploying. This plugin is not officially supported by HashiCorp and is provided as-is.\n\u003e\n---\n\n## Table of Contents\n- [Features](#features)\n- [Quick Start](#quick-start)\n- [API Reference](#api-reference)\n- [Installation](#installation)\n- [Metrics and Monitoring](#metrics-and-monitoring)\n- [Development](#development)\n- [Usage with Docker](#usage-with-docker)\n- [Usage without Docker](#usage-without-docker)\n- [Vagrant Development Environment](#vagrant-development-environment-recommended-for-linux-container-plugin-testing)\n- [License](#license)\n\n---\n\n## Features\n- **Dynamic Service Accounts**: Create OpenAI service accounts (with API keys) with configurable TTLs for improved security.\n- **Automatic Cleanup**: Service accounts and API keys are automatically cleaned up when leases expire.\n- **Admin API Key Rotation**: Securely rotate OpenAI admin keys manually or on a schedule.\n- **Metrics and Monitoring**: Prometheus-compatible metrics for credential issuance, revocation, and API errors.\n- **Containerized Deployment**: Run as a containerized Vault plugin with Docker (Linux only).\n\n\u003e **Note:** Only dynamic service account credentials are supported.\n\n---\n\n## Quick Start\n\n### 1. Download the Plugin\nYou can download the pre-built plugin binary from the [latest release page](https://github.com/gitrgoliveira/vault-plugin-secrets-openai/releases/latest).\n\n### 2. Extract the Plugin\n```shell\n# Extract the plugin binary (replace VERSION with the latest release version)\nmkdir -p ./bin\ncurl -L -o ./bin/vault-plugin-secrets-openai https://github.com/gitrgoliveira/vault-plugin-secrets-openai/releases/download/VERSION/vault-plugin-secrets-openai\nchmod +x ./bin/vault-plugin-secrets-openai\n```\n\n### 3. Start a Dev Vault Server and Register the Plugin\n```shell\nvault server -dev -dev-plugin-dir=./bin\n# In another terminal\nexport VAULT_ADDR=http://127.0.0.1:8200\nexport VAULT_TOKEN=root\nvault plugin register -sha256=$(shasum -a 256 ./bin/vault-plugin-secrets-openai | cut -d' ' -f1) \\\n  secret vault-plugin-secrets-openai\nvault secrets enable -path=openai vault-plugin-secrets-openai\n```\n\n### 4. Configure the Plugin\n```shell\nvault write openai/config \\\n  admin_api_key=\"sk-admin-...\" \\\n  admin_api_key_id=\"admin-key-id-...\" \\\n  organization_id=\"org-123456\"\n```\n\n### 5. Create a Role\n```shell\nvault write openai/roles/my-role \\\n  project_id=\"proj_my-project\" \\\n  service_account_name_template=\"vault-{{.RoleName}}-{{.RandomSuffix}}\" \\\n  ttl=1h \\\n  max_ttl=24h\n```\n\n### 6. Generate an API Key\n```shell\nvault read openai/creds/my-role\n```\n\nSample response:\n```\nKey                Value\n---                -----\nlease_id           openai/creds/app-role/abcdef12345\nlease_duration     30m\nlease_renewable    false\napi_key            sk-...\napi_key_id         api_key_abc123\nservice_account    vault-app-role-12345\nservice_account_id svc_abc123\n```\n\n---\n\n## API Reference\n\n### Configuration API\n\n#### Configure the Plugin\n```\nPOST /openai/config\nPUT /openai/config\n```\nConfigures the OpenAI secrets engine with admin API credentials.\n\n**Parameters:**\n- `admin_api_key` (string, required) - Admin API key for OpenAI\n- `admin_api_key_id` (string, required) - Admin API key ID for OpenAI  \n- `organization_id` (string, required) - Organization ID for OpenAI\n- `api_endpoint` (string, optional) - URL for the OpenAI API (default: `https://api.openai.com/v1`)\n- `rotation_period` (duration, optional) - Period between automatic admin API key rotations\n- `rotation_window` (duration, optional) - Window during which rotation can occur\n- `disable_automated_rotation` (bool, optional) - Disable automated rotation of admin credentials\n\n**Example:**\n```shell\nvault write openai/config \\\n  admin_api_key=\"sk-admin-...\" \\\n  admin_api_key_id=\"admin-key-id-...\" \\\n  organization_id=\"org-123456\" \\\n  rotation_period=604800\n```\n\n#### Read Configuration\n```\nGET /openai/config\n```\nReturns the current configuration (sensitive fields are not returned).\n\n**Response Fields:**\n- `api_endpoint` - The configured API endpoint\n- `organization_id` - The organization ID\n- `admin_api_key_id` - The admin API key ID\n- `rotation_period` - Automatic rotation period (if enabled)\n- `rotation_window` - Rotation window (if enabled)\n- `last_rotated` - Last rotation timestamp (if automated rotation is enabled)\n\n#### Delete Configuration\n```\nDELETE /openai/config\n```\nRemoves the configuration.\n\n#### Rotate Admin API Key\n```\nPOST /openai/config/rotate\n```\nManually rotates the admin API key. Creates a new admin API key and revokes the old one.\n\n### Roles API\n\n#### Create/Update Role\n```\nPOST /openai/roles/{name}\nPUT /openai/roles/{name}\n```\nCreates or updates a role definition for generating dynamic credentials.\n\n**Parameters:**\n- `name` (string, required) - Name of the role\n- `project_id` (string, required) - OpenAI Project ID (e.g., `proj_abc123`)\n- `service_account_name_template` (string, optional) - Template for service account names (default: `vault-{{.RoleName}}-{{.RandomSuffix}}`)\n- `service_account_description` (string, optional) - Description for service accounts (default: `Service account created by Vault`)\n- `ttl` (duration, optional) - Default TTL for API keys (default: `1h`)\n- `max_ttl` (duration, optional) - Maximum TTL for API keys (default: `24h`)\n\n**Example:**\n```shell\nvault write openai/roles/analytics \\\n  project_id=\"proj_abc123\" \\\n  service_account_name_template=\"analytics-{{.RoleName}}-{{.RandomSuffix}}\" \\\n  ttl=2h \\\n  max_ttl=24h\n```\n\n#### Read Role\n```\nGET /openai/roles/{name}\n```\nReturns the configuration for a specific role.\n\n#### List Roles\n```\nGET /openai/roles\n```\nLists all configured roles.\n\n#### Delete Role\n```\nDELETE /openai/roles/{name}\n```\nDeletes a role definition.\n\n### Dynamic Credentials API\n\n#### Generate Credentials\n```\nGET /openai/creds/{role_name}\n```\nGenerates new dynamic OpenAI credentials using the specified role.\n\n**Parameters:**\n- `role_name` (string, required) - Name of the role to use\n- `ttl` (duration, optional) - Custom TTL for this credential (must not exceed role's max_ttl)\n\n**Example:**\n```shell\nvault read openai/creds/analytics ttl=1h\n```\n\n---\n\n## Installation\n\n### Building the Plugin\n```shell\ngit clone https://github.com/gitrgoliveira/vault-plugin-secrets-openai.git\ncd vault-plugin-secrets-openai\nmake build\n```\n\n### Installing in Vault\n1. Copy the plugin binary to your Vault plugins directory:\n   ```shell\n   cp ./bin/vault-plugin-secrets-openai /path/to/vault/plugins/\n   ```\n2. Calculate the SHA256 sum of the plugin:\n   ```shell\n   SHA256=$(shasum -a 256 /path/to/vault/plugins/vault-plugin-secrets-openai | cut -d' ' -f1)\n   ```\n3. Register the plugin with Vault:\n   ```shell\n   vault plugin register -sha256=$SHA256 secret vault-plugin-secrets-openai\n   ```\n4. Enable the OpenAI secrets engine:\n   ```shell\n   vault secrets enable -path=openai -plugin-name=vault-plugin-secrets-openai plugin\n   ```\n\n---\n\n## Metrics and Monitoring\nThis plugin emits Prometheus-compatible metrics via Vault's telemetry system for observability and monitoring. These metrics can be scraped by Prometheus or viewed via Vault's telemetry endpoints.\n\n---\n\n## Development\n- Go 1.25.4+\n- Vault 1.19+ for containerized plugin support\n- Vagrant (for containerized plugin usage)\n\n---\n\n## Usage with Docker\n\n\u003e **Note:** Building and running Vault plugins with Docker is only supported on Linux hosts. If you are on macOS or Windows, you must build the plugin binary on a Linux machine or use a Linux VM/container for plugin development and testing. See the [Vault documentation](https://developer.hashicorp.com/vault/docs/plugins#plugin-platform-support) for details.\n\nYou can run the Vault OpenAI Secrets Plugin in a containerized environment using Docker. This is the recommended approach for most users.\n\n### 1. Build the Plugin Binary\n```shell\nmake build-release\n```\n\n### 2. Build the Docker Image\nA sample Dockerfile is provided. Build the image:\n```shell\nmake release VERSION=0.0.3\n```\n\n### 3. Run Vault in dev mode if not already running\n```shell\nexport VAULT_ADDR=http://127.0.0.1:8200\nexport VAULT_TOKEN=root\nexport DOCKER_HOST=unix:///run/user/1000/docker.sock # Adjust if using a different Docker socket\nnohup env DOCKER_HOST=$DOCKER_HOST vault server -dev -dev-root-token-id=root \u003e vault.log 2\u003e\u00261 \u0026\n\n```\n\n### 4. Register and Enable the Plugin\n```bash\n# Get the Docker image SHA256\nPLUGIN_SHA256=$(docker images --no-trunc --format=\"{{ .ID }}\" vault-plugin-secrets-openai:0.0.3 | cut -d: -f2)\n\n# Register the plugin runtime (if using containerized plugins)\nvault plugin runtime register -type=container -rootless=true -oci_runtime=runsc runsc\n\n# Register the plugin with Vault (replace 0.0.3 with your version)\nvault plugin register \\\n  -sha256=\"$PLUGIN_SHA256\" \\\n  -oci_image=\"vault-plugin-secrets-openai\" \\\n  -runtime=\"runsc\" \\\n  -version=\"0.0.3\" \\\n  secret vault-plugin-secrets-openai\n\n# Enable the secrets engine\nvault secrets enable -path=openai vault-plugin-secrets-openai\n```\n\n### 5. Configure the Plugin\n```bash\n# Configure with your OpenAI admin API key\nvault write openai/config admin_api_key=\"$OPENAI_ADMIN_API_KEY\" \\\nadmin_api_key_id=\"$ADMIN_API_KEY_ID\" \\\norganization_id=\"$OPENAI_ORG_ID\" \\\nrotation_period=\"720h\"\n\nvault read openai/config\nKey                           Value\n---                           -----\nadmin_api_key_id              key_OInm3Qed3kNn4BUQ\napi_endpoint                  https://api.openai.com/v1\ndisable_automated_rotation    false\nlast_rotated                  2025-07-02T15:30:45+00:00\norganization_id               org-gAZ0NbaPX8FD2YcdLsHiKx8v\nrotation_period               720h\nrotation_schedule             n/a\nrotation_window               0 \n```\n\nThe admin API key is used by Vault to create and manage service accounts in your OpenAI organization. The rotation period determines how often this root credential is automatically rotated. See all supported parameters here.\n\nYou can also use `vault write -force openai/config/rotate` to force the rotation.\n\n### 6. Create Roles\nRoles define the permissions and TTL for credentials generated for specific applications:\n```bash\n# Create a role for your application\nvault write openai/roles/my-application project_id=\"$OPENAI_TEST_PROJECT_ID\" \\\nservice_account_name_template=\"vault-{{.RoleName}}-{{.RandomSuffix}}\" \\\n      ttl=”1h” max_ttl=”24h”\n```\n```shell\n\n### 7. Generate an API Key\n```shell\nvault read openai/creds/my-application\n```\n\nSample response:\n```\nKey                Value\n---                -----\nlease_id           openai/creds/my-application/abcdef12345\nlease_duration     1h\nlease_renewable    true\napi_key            sk-...\napi_key_id         api_key_abc123\nservice_account    vault-my-application-12345\nservice_account_id svc_abc123\n```\n\n---\n\n## Usage without Docker\n\nYou can also run the plugin directly on your host system (Linux/macOS) without Docker.\n\n### 1. Build the Plugin Binary\n```shell\nmake build\n```\n\n### 2. Start a Dev Vault Server and Register the Plugin\n```shell\nvault server -dev -dev-plugin-dir=./bin\n# In another terminal\nexport VAULT_ADDR=http://127.0.0.1:8200\nvault plugin register -sha256=$(shasum -a 256 ./bin/vault-plugin-secrets-openai | cut -d' ' -f1) \\\n  secret vault-plugin-secrets-openai\nvault secrets enable -path=openai -plugin-name=vault-plugin-secrets-openai plugin\n```\n\n### 3. Configure the Plugin\n```shell\nvault write openai/config \\\n  admin_api_key=\"sk-admin-...\" \\\n  admin_api_key_id=\"admin-key-id-...\" \\\n  organization_id=\"org-123456\"\n```\n\n---\n\n## Vagrant Development Environment (Recommended for Linux Container Plugin Testing)\n\nThis project provides a robust Vagrant-based development environment for building, testing, and running the Vault OpenAI Secrets Plugin with support for rootless Docker and gVisor/runsc.\n\n### Features\n- Automated provisioning of Go, Docker (rootless), and gVisor/runsc for containerized plugin testing.\n- Rootless Docker setup for the `vagrant` user, with correct socket and runtime configuration.\n- gVisor/runsc installed from the official APT repository, with fallback to `runc` if runsc is not compatible with rootless mode.\n- Automated plugin build, Docker image creation, and Vault plugin registration inside the VM.\n- Integration and unit test scripts for plugin validation.\n\n### Prerequisites\n- [Vagrant](https://www.vagrantup.com/)\n- [VirtualBox](https://www.virtualbox.org/)\n\n### Quick Start (Vagrant)\n\n1. **Start the Vagrant VM and provision:**\n   ```sh\n   vagrant up\n   ```\n   This will:\n   - Install Go, Docker (rootless), and gVisor/runsc\n   - Set up Docker for the `vagrant` user in rootless mode\n   - Build the plugin and Docker image\n   - Start Vault in dev mode and register the plugin\n\n2. **SSH into the VM:**\n   ```sh\n   vagrant ssh\n   cd vault-plugin-secrets-openai\n   ```\n\n3. **Run tests:**\n   - **Unit tests:**\n     ```sh\n     ./scripts/run_tests.sh\n     ```\n   - **Integration tests:**\n     ```sh\n     ./scripts/run_tests.sh --integration\n     ```\n     You will be prompted for your OpenAI Admin API Key, Organization ID, and Test Project ID.\n\n#### Notes on Docker and gVisor/runsc\n- The provisioning scripts attempt to use `runsc` as the Docker runtime for containerized plugin testing.\n- **gVisor/runsc is not fully compatible with rootless Docker** due to systemd/cgroup limitations. If runsc fails, the scripts will automatically fall back to the default `runc` runtime for plugin build and Vault registration.\n- The correct Docker socket (`/run/user/1000/docker.sock`) is set via the `DOCKER_HOST` environment variable for all Vault and Docker operations.\n\n#### Environment Variables\n- `VAULT_ADDR`, `VAULT_TOKEN`, and `DOCKER_HOST` are set automatically in the VM for the `vagrant` user.\n- For integration tests, you will need to provide:\n  - `OPENAI_ADMIN_API_KEY`\n  - `OPENAI_ORG_ID`\n  - `OPENAI_TEST_PROJECT_ID`\n\n#### Troubleshooting\n- If you see errors about Docker socket permissions or plugin registration, ensure that `DOCKER_HOST` is set to the rootless Docker socket and that Vault is running with this environment variable.\n- If you need to reprovision from scratch:\n  ```sh\n  vagrant destroy -f\n  vagrant up\n  ```\n\n#### File Overview\n- `scripts/vagrant_provision_as_root.sh`: Installs system dependencies (Go, Docker, gVisor, etc.)\n- `scripts/vagrant_provision_as_user.sh`: Configures Docker rootless mode, builds the plugin, starts Vault, and registers the plugin.\n- `scripts/run_tests.sh`: Runs unit and integration tests for the plugin.\n\n---\n\n## License\nThis project is licensed under the Mozilla Public License 2.0 - see the [LICENSE](LICENSE) file for details.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgitrgoliveira%2Fvault-plugin-secrets-openai","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fgitrgoliveira%2Fvault-plugin-secrets-openai","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgitrgoliveira%2Fvault-plugin-secrets-openai/lists"}