{"id":18053347,"url":"https://github.com/luzifer/git-credential-vault","last_synced_at":"2025-04-10T19:42:54.905Z","repository":{"id":44844678,"uuid":"252166269","full_name":"Luzifer/git-credential-vault","owner":"Luzifer","description":"Implementation of the Git Credential Storage utilizing Vault as storage backend","archived":false,"fork":false,"pushed_at":"2022-01-22T02:32:17.000Z","size":44,"stargazers_count":9,"open_issues_count":0,"forks_count":1,"subscribers_count":3,"default_branch":"master","last_synced_at":"2025-03-24T17:21:21.540Z","etag":null,"topics":["git","git-credential","git-credential-helper","golang","vault"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Luzifer.png","metadata":{"files":{"readme":"README.md","changelog":"History.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2020-04-01T12:17:56.000Z","updated_at":"2024-09-23T00:07:35.000Z","dependencies_parsed_at":"2022-07-20T21:02:46.455Z","dependency_job_id":null,"html_url":"https://github.com/Luzifer/git-credential-vault","commit_stats":null,"previous_names":[],"tags_count":2,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Luzifer%2Fgit-credential-vault","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Luzifer%2Fgit-credential-vault/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Luzifer%2Fgit-credential-vault/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Luzifer%2Fgit-credential-vault/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Luzifer","download_url":"https://codeload.github.com/Luzifer/git-credential-vault/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248281420,"owners_count":21077423,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["git","git-credential","git-credential-helper","golang","vault"],"created_at":"2024-10-30T23:16:51.998Z","updated_at":"2025-04-10T19:42:54.877Z","avatar_url":"https://github.com/Luzifer.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"[![Go Report Card](https://goreportcard.com/badge/github.com/Luzifer/git-credential-vault)](https://goreportcard.com/report/github.com/Luzifer/git-credential-vault)\n![](https://badges.fyi/github/license/Luzifer/git-credential-vault)\n![](https://badges.fyi/github/downloads/Luzifer/git-credential-vault)\n![](https://badges.fyi/github/latest-release/Luzifer/git-credential-vault)\n![](https://knut.in/project-status/git-credential-vault)\n\n# Luzifer / git-credential-vault\n\n`git-credential-vault` is an implementation of the [Git Credential Storage](https://git-scm.com/book/en/v2/Git-Tools-Credential-Storage) utilizing [Vault](https://www.vaultproject.io/) as storage backend.\n\nThe only supported action is `get` as storage is managed through Vault related tools / the web-UI. The tool expects to find Vault keys per host containing `username` / `password` fields in it. Those fields are then combined with the data received from git and sent back for authentication.\n\n## Expected Vault structure\n\n```\nsecret/git-credentials (pass this to --vault-path-prefix)\n +- github.com\n |   +- username = api\n |   +- password = verysecrettoken\n +- gitlab.com\n     +- username = user\n     +- password = anothertoken\n```\n\n## Usage\n\n```console\n# export VAULT_ADDR=http://localhost:8200\n# export VAULT_TOKEN=somesecretvaulttoken\n# echo -e \"protocol=https\\nhost=github.com\\n\\n\" | ./git-credential-vault --vault-path-prefix secret/git-credentials get\nhost=github.com\nusername=api\npassword=myverysecrettoken\nprotocol=https\n```\n\n### Vault KV Secrets Engine - Version 2\n\nThis tool supports both versions of the Vault KV Secrets Engine. You just need to consider one thing: Version 2 of the KV Secrets Engine does use slightly modified paths for reading secrets. In order to be compatible to both versions of the Secrets Engine you need to adjust the `vault-path-prefix` slightly when using it:\n\n```bash\n# Version 1\nvault list secret_v1/git-credentials\n# Keys\n# ----\n# github.com\ngit config --global credential.helper 'vault --vault-path-prefix secret_v1/git-credentials'\n```\n\n```bash\n# Version 2\nvault kv list secret_v2/git-credentials\n# Keys\n# ----\n# github.com\ngit config --global credential.helper 'vault --vault-path-prefix secret_v2/data/git-credentials'\n```\n\nMind the extra `/data` after the mountpoint for a mountpoint using version 2. If you omit it the tool will not work properly as it will not yield any credentials.\n\n### Dockerfile example (git clone)\n\nIn this example the `VAULT_TOKEN` is passed in through a build-arg which means you **MUST** revoke the token before pushing the image, otherwise you will be leaking an active credential!\n\n```Dockerfile\nFROM alpine\n\nARG VAULT_ADDR\nARG VAULT_TOKEN\n\nRUN set -ex \\\n \u0026\u0026 apk --no-cache add curl git \\\n \u0026\u0026 curl -sSfL \"https://github.com/Luzifer/git-credential-vault/releases/download/v0.1.0/git-credential-vault_linux_amd64.tar.gz\" | tar -xz -C /usr/bin \\\n \u0026\u0026 mv /usr/bin/git-credential-vault_linux_amd64 /usr/bin/git-credential-vault \\\n \u0026\u0026 git config --global credential.helper 'vault --vault-path-prefix secret/git-credentials'\n\nRUN set -ex \\\n \u0026\u0026 git clone https://github.com/myuser/secretrepo.git /src\n```\n\n```console\n# docker build --build-arg VAULT_ADDR=${VAULT_ADDR} --build-arg VAULT_TOKEN=${VAULT_TOKEN} --no-cache .\n```\n\n### Dockerfile example (go install)\n\nIn this example the `VAULT_TOKEN` is passed in through a build-arg which means you **MUST** revoke the token before pushing the image, otherwise you will be leaking an active credential!\n\n```Dockerfile\nFROM golang:alpine\n\nARG VAULT_ADDR\nARG VAULT_TOKEN\n\nRUN set -ex \\\n \u0026\u0026 apk --no-cache add git \\\n \u0026\u0026 go install github.com/Luzifer/git-credential-vault@latest \\\n \u0026\u0026 git config --global credential.helper 'vault --vault-path-prefix secret/git-credentials'\n\nRUN set -ex \\\n \u0026\u0026 go get -v github.com/myuser/secretrepo\n```\n\n```console\n# docker build --build-arg VAULT_ADDR=${VAULT_ADDR} --build-arg VAULT_TOKEN=${VAULT_TOKEN} --no-cache .\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fluzifer%2Fgit-credential-vault","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fluzifer%2Fgit-credential-vault","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fluzifer%2Fgit-credential-vault/lists"}