{"id":13668733,"url":"https://github.com/philips-labs/spiffe-vault","last_synced_at":"2025-04-07T05:17:01.490Z","repository":{"id":37965304,"uuid":"400135443","full_name":"philips-labs/spiffe-vault","owner":"philips-labs","description":"Integrates Spiffe and Vault to have secretless authentication","archived":false,"fork":false,"pushed_at":"2025-03-24T18:26:26.000Z","size":347,"stargazers_count":88,"open_issues_count":1,"forks_count":8,"subscribers_count":3,"default_branch":"main","last_synced_at":"2025-03-31T04:07:18.600Z","etag":null,"topics":["bottom-turtle","code-signing","cosign","hacktoberfest","hashicorp","helm","k8s","kubernetes","secrets","spiffe","spire","terraform","vault","zero-trust"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/philips-labs.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":"CODEOWNERS","security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2021-08-26T10:53:00.000Z","updated_at":"2025-03-26T02:03:25.000Z","dependencies_parsed_at":"2023-11-13T13:40:20.127Z","dependency_job_id":"8c1e2c19-5476-4e19-b78e-66253adfff22","html_url":"https://github.com/philips-labs/spiffe-vault","commit_stats":{"total_commits":288,"total_committers":4,"mean_commits":72.0,"dds":"0.42361111111111116","last_synced_commit":"6feb26071343f0fe4b8b34042d9042c8a69b4c7f"},"previous_names":[],"tags_count":14,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/philips-labs%2Fspiffe-vault","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/philips-labs%2Fspiffe-vault/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/philips-labs%2Fspiffe-vault/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/philips-labs%2Fspiffe-vault/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/philips-labs","download_url":"https://codeload.github.com/philips-labs/spiffe-vault/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247595335,"owners_count":20963943,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["bottom-turtle","code-signing","cosign","hacktoberfest","hashicorp","helm","k8s","kubernetes","secrets","spiffe","spire","terraform","vault","zero-trust"],"created_at":"2024-08-02T08:00:48.156Z","updated_at":"2025-04-07T05:17:01.464Z","avatar_url":"https://github.com/philips-labs.png","language":"Go","funding_links":[],"categories":["Zero Trust","Utils","Go","零信任","terraform","Libraries for creating HTTP middlewares"],"sub_categories":["Utility/Miscellaneous","SDK","Routers","路由器","Tutorials"],"readme":"# SPIFFE Vault\n\nIntegrates [SPIFFE][spiffe] SVID authentication with [Hashicorp Vault][hashivault] to retrieve a `VAULT_TOKEN`.\n\n[![Go CI](https://github.com/philips-labs/spiffe-vault/actions/workflows/golang.yml/badge.svg)](https://github.com/philips-labs/spiffe-vault/actions/workflows/golang.yml)\n[![Go Report Card](https://goreportcard.com/badge/github.com/philips-labs/spiffe-vault)](https://goreportcard.com/report/github.com/philips-labs/spiffe-vault)\n[![codecov](https://codecov.io/gh/philips-labs/spiffe-vault/branch/main/graph/badge.svg)](https://codecov.io/gh/philips-labs/spiffe-vault)\n\n## Example usecases\n\n- Read secrets from Hashicorp Vault [Hashicorp Vault][hashivault] without providing a secret to authenticate against [Hashicorp Vault][hashivault]. Instead we will be using a [SPIFFE][spiffe] SVID to authenticate ourself against [Hashicorp Vault][hashivault].\n\n- Perform secretless/keyless code signing by utilizing the [Hashicorp Vault Transit engine](https://www.vaultproject.io/docs/secrets/transit) as a software defined HSM. This resolves the issue of having signing keys on a local machine as well resolves the issue of managing secrets to access the signing keys. Again we utilize the [SPIFFE][spiffe] SVID to authenticate against Hashicorp Vault.\n\n[hashivault]: https://vaultproject.org \"hashicorp Vault\"\n[spiffe]: https://spiffe.io \"SPIFFE\"\n\n## Build\n\n### Compile\n\n```bash\nmake build\n```\n\n### Docker\n\nUsing the default `DOCKER_HOST` on your system (usually `unix:///var/run/docker.sock`), you can build the docker image with:\n\n```bash\nmake image\n```\n\nUsing e.g. the colima `DOCKER_HOST` (usually `unix:///Users/marco/.colima/default/docker.sock`), you can build the docker image with:\n\n```bash\nDOCKER_HOST=unix:///Users/marco/.colima/default/docker.sock make image\n```\n\n## Use\n\n### Basic\n\n```bash\n$ export VAULT_ADDR=http://localhost:8200\n$ bin/spiffe-vault auth -role my-role\n# Export following environment variable to authenticate to Hashicorp Vault\nexport VAULT_TOKEN=s.IK1LBrCGXFQDAgawmhNLbcDH\n```\n\n### Advanced\n\nDepending on the shell you are using you can automatically export the variable.\n\n\u003cdetails\u003e\n  \u003csummary\u003ebash\u003c/summary\u003e\n\n```bash\n$ export VAULT_ADDR=http://localhost:8200\n$ echo \"$(bin/spiffe-vault auth -role my-role)\" \u003e /tmp/spiffe-vault\n$ source /tmp/spiffe-vault\n$ vault kv get secrets/my-key\n====== Metadata ======\nKey              Value\n---              -----\ncreated_time     2021-08-24T08:20:54.925866504Z\ndeletion_time    n/a\ndestroyed        false\nversion          1\n\n============= Data =============\nKey                       Value\n---                       -----\nusername                  marco\npassword                  Supers3cr3t!\n$ vault token lookup\nKey                 Value\n---                 -----\naccessor            rwpXIHXzbVIMN2TL25Lfssef\ncreation_time       1629970184\ncreation_ttl        1m\ndisplay_name        jwt-spiffe://dev.localhost/ns/my-app/sa/my-app-backend\nentity_id           8904661e-5a9f-3af5-c269-257e8a0a31d0\nexpire_time         2021-08-26T09:30:44.424072877Z\nexplicit_max_ttl    0s\nid                  s.eOdhqe1hVV0OPS7M0TSeEqjG\nissue_time          2021-08-26T09:29:44.424078028Z\nmeta                map[role:my-role]\nnum_uses            0\norphan              true\npath                auth/jwt/login\npolicies            [default my-role]\nrenewable           true\nttl                 13s\ntype                service\n$ vault token renew\nKey                  Value\n---                  -----\ntoken                s.f1mFvr0TdEuvmfcZT0jBLCc5\ntoken_accessor       vxginlb81XMEIPefLpRz1P24\ntoken_duration       1m\ntoken_renewable      true\ntoken_policies       [\"default\" \"my-role\"]\nidentity_policies    []\npolicies             [\"default\" \"my-role\"]\ntoken_meta_role      my-role\n$ vault token lookup\nKey                  Value\n---                  -----\naccessor             vxginlb81XMEIPefLpRz1P24\ncreation_time        1629970320\ncreation_ttl         1m\ndisplay_name         jwt-spiffe://dev.localhost/ns/my-app/sa/my-app-backend\nentity_id            8904661e-5a9f-3af5-c269-257e8a0a31d0\nexpire_time          2021-08-26T09:33:53.57444787Z\nexplicit_max_ttl     0s\nid                   s.f1mFvr0TdEuvmfcZT0jBLCc5\nissue_time           2021-08-26T09:32:00.135787193Z\nlast_renewal         2021-08-26T09:32:53.574447972Z\nlast_renewal_time    1629970373\nmeta                 map[role:my-role]\nnum_uses             0\norphan               true\npath                 auth/jwt/login\npolicies             [default my-role]\nrenewable            true\nttl                  56s\ntype                 service\n$ vault write transit/sign/my-key input=\"$(echo stuff | base64)\"\nKey            Value\n---            -----\nkey_version    1\nsignature      vault:v1:MEUCIFAWmHPyLJ6V0mjMgqr5UnV40bkCEUEGqApcYI54VAPIAiEAqyG2VkFc2wpYs/n47mK4vgfTVbXjWJzMM7Fxr/bR7LE=\n$ vault write transit/verify/my-key input=\"$(echo stuff | base64)\" signature=vault:v1:MEUCIFAWmHPyLJ6V0mjMgqr5UnV40bkCEUEGqApcYI54VAPIAiEAqyG2VkFc2wpYs/n47mK4vgfTVbXjWJzMM7Fxr/bR7LE=\n```\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\n  \u003csummary\u003ezsh\u003c/summary\u003e\n\n```zsh\n$ export VAULT_ADDR=http://localhost:8200\n$ source \u003c(bin/spiffe-vault auth -role my-role)\n$ vault kv get secrets/my-key\n====== Metadata ======\nKey              Value\n---              -----\ncreated_time     2021-08-24T08:20:54.925866504Z\ndeletion_time    n/a\ndestroyed        false\nversion          1\n\n============= Data =============\nKey                       Value\n---                       -----\nusername                  marco\npassword                  Supers3cr3t!\n$ vault token lookup\nKey                 Value\n---                 -----\naccessor            rwpXIHXzbVIMN2TL25Lfssef\ncreation_time       1629970184\ncreation_ttl        1m\ndisplay_name        jwt-spiffe://dev.localhost/ns/my-app/sa/my-app-backend\nentity_id           8904661e-5a9f-3af5-c269-257e8a0a31d0\nexpire_time         2021-08-26T09:30:44.424072877Z\nexplicit_max_ttl    0s\nid                  s.eOdhqe1hVV0OPS7M0TSeEqjG\nissue_time          2021-08-26T09:29:44.424078028Z\nmeta                map[role:my-role]\nnum_uses            0\norphan              true\npath                auth/jwt/login\npolicies            [default my-role]\nrenewable           true\nttl                 13s\ntype                service\n$ vault token renew\nKey                  Value\n---                  -----\ntoken                s.f1mFvr0TdEuvmfcZT0jBLCc5\ntoken_accessor       vxginlb81XMEIPefLpRz1P24\ntoken_duration       1m\ntoken_renewable      true\ntoken_policies       [\"default\" \"my-role\"]\nidentity_policies    []\npolicies             [\"default\" \"my-role\"]\ntoken_meta_role      my-role\n$ vault token lookup\nKey                  Value\n---                  -----\naccessor             vxginlb81XMEIPefLpRz1P24\ncreation_time        1629970320\ncreation_ttl         1m\ndisplay_name         jwt-spiffe://dev.localhost/ns/my-app/sa/my-app-backend\nentity_id            8904661e-5a9f-3af5-c269-257e8a0a31d0\nexpire_time          2021-08-26T09:33:53.57444787Z\nexplicit_max_ttl     0s\nid                   s.f1mFvr0TdEuvmfcZT0jBLCc5\nissue_time           2021-08-26T09:32:00.135787193Z\nlast_renewal         2021-08-26T09:32:53.574447972Z\nlast_renewal_time    1629970373\nmeta                 map[role:my-role]\nnum_uses             0\norphan               true\npath                 auth/jwt/login\npolicies             [default my-role]\nrenewable            true\nttl                  56s\ntype                 service\n$ vault write transit/sign/my-key input=\"$(echo stuff | base64)\"\nKey            Value\n---            -----\nkey_version    1\nsignature      vault:v1:MEUCIFAWmHPyLJ6V0mjMgqr5UnV40bkCEUEGqApcYI54VAPIAiEAqyG2VkFc2wpYs/n47mK4vgfTVbXjWJzMM7Fxr/bR7LE=\n$ vault write transit/verify/my-key input=\"$(echo stuff | base64)\" signature=vault:v1:MEUCIFAWmHPyLJ6V0mjMgqr5UnV40bkCEUEGqApcYI54VAPIAiEAqyG2VkFc2wpYs/n47mK4vgfTVbXjWJzMM7Fxr/bR7LE=\n```\n\n\u003c/details\u003e\n\nSee the [example](example) directory for an example infrastructure setup on Kubernetes integration the whole eco-system. This includes a Spire, Vault deployment as well utilizing `spiffe-vault` as en example workload.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fphilips-labs%2Fspiffe-vault","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fphilips-labs%2Fspiffe-vault","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fphilips-labs%2Fspiffe-vault/lists"}