{"id":13644444,"url":"https://github.com/sethvargo/vault-init","last_synced_at":"2025-04-21T07:31:28.265Z","repository":{"id":48326676,"uuid":"131338099","full_name":"sethvargo/vault-init","owner":"sethvargo","description":"Automate the initialization and unsealing of @HashiCorp Vault on @GoogleCloudPlatform","archived":true,"fork":false,"pushed_at":"2022-07-22T18:51:36.000Z","size":6042,"stargazers_count":82,"open_issues_count":1,"forks_count":53,"subscribers_count":6,"default_branch":"master","last_synced_at":"2024-11-09T16:44:34.408Z","etag":null,"topics":["google-cloud","hashicorp","kms","vault"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/sethvargo.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2018-04-27T19:41:19.000Z","updated_at":"2024-08-02T19:49:17.000Z","dependencies_parsed_at":"2022-08-28T13:30:42.725Z","dependency_job_id":null,"html_url":"https://github.com/sethvargo/vault-init","commit_stats":null,"previous_names":[],"tags_count":1,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sethvargo%2Fvault-init","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sethvargo%2Fvault-init/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sethvargo%2Fvault-init/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sethvargo%2Fvault-init/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/sethvargo","download_url":"https://codeload.github.com/sethvargo/vault-init/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":250014640,"owners_count":21360987,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["google-cloud","hashicorp","kms","vault"],"created_at":"2024-08-02T01:02:04.942Z","updated_at":"2025-04-21T07:31:23.253Z","avatar_url":"https://github.com/sethvargo.png","language":"Go","readme":"# vault-init\n\nThe `vault-init` service automates the process of [initializing](https://www.vaultproject.io/docs/commands/operator/init.html) and [unsealing](https://www.vaultproject.io/docs/concepts/seal.html#unsealing) HashiCorp Vault instances running on [Google Cloud Platform](https://cloud.google.com).\n\nAfter `vault-init` initializes a Vault server it stores master keys and root tokens, encrypted using [Google Cloud KMS](https://cloud.google.com/kms), to a user defined [Google Cloud Storage](https://cloud.google.com/storage) bucket.\n\n## Usage\n\nThe `vault-init` service is designed to be run alongside a Vault server and\ncommunicate over local host.\n\nYou can download the code and compile the binary with Go. Alternatively, a\nDocker container is available via the Docker Hub:\n\n```text\n$ docker pull sethvargo/vault-init\n```\n\nTo use this as part of a Kubernetes Vault Deployment:\n\n```yaml\ncontainers:\n- name: vault-init\n  image: registry.hub.docker.com/sethvargo/vault-init:0.1.2\n  imagePullPolicy: Always\n  env:\n  - name: GCS_BUCKET_NAME\n    value: my-gcs-bucket\n  - name: KMS_KEY_ID\n    value: projects/my-project/locations/my-location/cryptoKeys/my-key\n```\n\n## Configuration\n\nThe `vault-init` service supports the following environment variables for configuration:\n\n- `CHECK_INTERVAL` (\"10s\") - The time duration between Vault health checks. Set\n  this to a negative number to unseal once and exit.\n\n- `GCS_BUCKET_NAME` - The Google Cloud Storage Bucket where the Vault master key\n  and root token is stored.\n\n- `KMS_KEY_ID` - The Google Cloud KMS key ID used to encrypt and decrypt the\n  vault master key and root token.\n\n- `VAULT_SECRET_SHARES` (5) - The number of human shares to create.\n\n- `VAULT_SECRET_THRESHOLD` (3) - The number of human shares required to unseal.\n\n- `VAULT_AUTO_UNSEAL` (true) - Use Vault 1.0 native auto-unsealing directly. You must\n  set the seal configuration in Vault's configuration.\n\n- `VAULT_STORED_SHARES` (1) - Number of shares to store on KMS. Only applies to\n  Vault 1.0 native auto-unseal.\n\n- `VAULT_RECOVERY_SHARES` (1) - Number of recovery shares to generate. Only\n  applies to Vault 1.0 native auto-unseal.\n\n- `VAULT_RECOVERY_THRESHOLD` (1) - Number of recovery shares needed to trigger an auto-unseal.\n  Only applies to Vault 1.0 native auto-unseal.\n\n- `VAULT_SKIP_VERIFY` (false) - Disable TLS validation when connecting. Setting\n  to true is highly discouraged.\n\n- `VAULT_CACERT` (\"\") - Path on disk to the CA _file_ to use for verifying TLS\n  connections to Vault.\n\n- `VAULT_CAPATH` (\"\") - Path on disk to a directory containing the CAs to use\n  for verifying TLS connections to Vault. `VAULT_CACERT` takes precedence.\n\n- `VAULT_TLS_SERVER_NAME` (\"\") - Custom SNI hostname to use when validating TLS\n  connections to Vault.\n\n### Example Values\n\n```\nCHECK_INTERVAL=\"30s\"\nGCS_BUCKET_NAME=\"vault-storage\"\nKMS_KEY_ID=\"projects/my-project/locations/global/keyRings/my-keyring/cryptoKeys/key\"\n```\n\n### IAM \u0026amp; Permissions\n\nThe `vault-init` service uses the official Google Cloud Golang SDK. This means\nit supports the common ways of [providing credentials to GCP][cloud-creds].\n\nTo use this service, the service account must have the following minimum\nscope(s):\n\n```text\nhttps://www.googleapis.com/auth/cloudkms\nhttps://www.googleapis.com/auth/devstorage.read_write\n```\n\nAdditionally, the service account must have the following minimum role(s):\n\n```text\nroles/cloudkms.cryptoKeyEncrypterDecrypter\nroles/storage.objectAdmin OR roles/storage.legacyBucketWriter\n```\n\nFor more information on service accounts, please see the\n[Google Cloud Service Accounts documentation][service-accounts].\n\n[cloud-creds]: https://cloud.google.com/docs/authentication/production#providing_credentials_to_your_application\n[service-accounts]: https://cloud.google.com/compute/docs/access/service-accounts\n","funding_links":[],"categories":["Go"],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsethvargo%2Fvault-init","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsethvargo%2Fvault-init","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsethvargo%2Fvault-init/lists"}