https://github.com/fairwindsops/vault-token-injector

A daemon to automatically inject and rotate your vault tokens in CircleCI.
https://github.com/fairwindsops/vault-token-injector

circleci fairwinds-incubator vault

Last synced: 5 months ago
JSON representation

A daemon to automatically inject and rotate your vault tokens in CircleCI.

• Host: GitHub
• URL: https://github.com/fairwindsops/vault-token-injector
• Owner: FairwindsOps
• License: apache-2.0
• Created: 2021-05-05T13:50:57.000Z (about 5 years ago)
• Default Branch: main
• Last Pushed: 2024-09-27T15:15:01.000Z (over 1 year ago)
• Last Synced: 2025-03-19T03:34:32.599Z (over 1 year ago)
• Topics: circleci, fairwinds-incubator, vault
• Language: Go
• Homepage: https://fairwinds.com
• Size: 3.9 MB
• Stars: 2
• Watchers: 15
• Forks: 0
• Open Issues: 5
• Metadata Files:
  • Readme: README.md
  • License: LICENSE
  • Code of conduct: CODE_OF_CONDUCT.md
  • Codeowners: CODEOWNERS

Awesome Lists containing this project

README

          


  
Automatic Vault Token Injector

  

    

  

  

    

  

  

    

  

  

    

  



# vault-token-injector

A loop to keep vault access tokens up-to-date in circleci and/or terraform cloud

Injects new tokens into circleci build environments or terraform cloud workspaces on startup and every 30 minutes. Also injects the `VAULT_ADDR` variable.

# Configuration

An example configuration file is present [here](example_config.yaml). Whatever circleci projects or terraform cloud workspaces are mentioned will update the given `token_variable` in the project workspace. The vault token for that project is created with the provided `vault_role` and/or `vault_policies`. In addition, the `vault_address` field is injected as the `VAULT_ADDR` environment variable.

## Token TTL and Refresh Interval

The default token TTL is 60 minutes, and the default refresh interval is 30 minutes. This allows some overlap intentionally. If you wish to customize these numbers, you can set the following in your configuration:

```

token_ttl: 10m

token_refresh_interval: 1m

```

## Logging

You can adjust the logging level with the `-vX` flag where X can be 1-10.

*WARNING* - Log level 10 will output secrets into the logs for debugging scenarios. Please do not do this in a production environment.

Note that the time intervals are golang time.Duration strings

## Future Planned Enhancements

* Staggered token injections

* Disable `VAULT_ADDR` injection

* Use Vault API instead of vault binary

* Prometheus endpoint to bubble up errors and successes