Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/luzifer/git-credential-vault
Implementation of the Git Credential Storage utilizing Vault as storage backend
https://github.com/luzifer/git-credential-vault
git git-credential git-credential-helper golang vault
Last synced: 7 days ago
JSON representation
Implementation of the Git Credential Storage utilizing Vault as storage backend
- Host: GitHub
- URL: https://github.com/luzifer/git-credential-vault
- Owner: Luzifer
- License: apache-2.0
- Created: 2020-04-01T12:17:56.000Z (over 4 years ago)
- Default Branch: master
- Last Pushed: 2022-01-22T02:32:17.000Z (almost 3 years ago)
- Last Synced: 2024-06-20T14:08:11.524Z (5 months ago)
- Topics: git, git-credential, git-credential-helper, golang, vault
- Language: Go
- Homepage:
- Size: 43 KB
- Stars: 7
- Watchers: 4
- Forks: 1
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- Changelog: History.md
- License: LICENSE
Awesome Lists containing this project
README
[![Go Report Card](https://goreportcard.com/badge/github.com/Luzifer/git-credential-vault)](https://goreportcard.com/report/github.com/Luzifer/git-credential-vault)
![](https://badges.fyi/github/license/Luzifer/git-credential-vault)
![](https://badges.fyi/github/downloads/Luzifer/git-credential-vault)
![](https://badges.fyi/github/latest-release/Luzifer/git-credential-vault)
![](https://knut.in/project-status/git-credential-vault)# Luzifer / git-credential-vault
`git-credential-vault` is an implementation of the [Git Credential Storage](https://git-scm.com/book/en/v2/Git-Tools-Credential-Storage) utilizing [Vault](https://www.vaultproject.io/) as storage backend.
The only supported action is `get` as storage is managed through Vault related tools / the web-UI. The tool expects to find Vault keys per host containing `username` / `password` fields in it. Those fields are then combined with the data received from git and sent back for authentication.
## Expected Vault structure
```
secret/git-credentials (pass this to --vault-path-prefix)
+- github.com
| +- username = api
| +- password = verysecrettoken
+- gitlab.com
+- username = user
+- password = anothertoken
```## Usage
```console
# export VAULT_ADDR=http://localhost:8200
# export VAULT_TOKEN=somesecretvaulttoken
# echo -e "protocol=https\nhost=github.com\n\n" | ./git-credential-vault --vault-path-prefix secret/git-credentials get
host=github.com
username=api
password=myverysecrettoken
protocol=https
```### Vault KV Secrets Engine - Version 2
This tool supports both versions of the Vault KV Secrets Engine. You just need to consider one thing: Version 2 of the KV Secrets Engine does use slightly modified paths for reading secrets. In order to be compatible to both versions of the Secrets Engine you need to adjust the `vault-path-prefix` slightly when using it:
```bash
# Version 1
vault list secret_v1/git-credentials
# Keys
# ----
# github.com
git config --global credential.helper 'vault --vault-path-prefix secret_v1/git-credentials'
``````bash
# Version 2
vault kv list secret_v2/git-credentials
# Keys
# ----
# github.com
git config --global credential.helper 'vault --vault-path-prefix secret_v2/data/git-credentials'
```Mind the extra `/data` after the mountpoint for a mountpoint using version 2. If you omit it the tool will not work properly as it will not yield any credentials.
### Dockerfile example (git clone)
In this example the `VAULT_TOKEN` is passed in through a build-arg which means you **MUST** revoke the token before pushing the image, otherwise you will be leaking an active credential!
```Dockerfile
FROM alpineARG VAULT_ADDR
ARG VAULT_TOKENRUN set -ex \
&& apk --no-cache add curl git \
&& curl -sSfL "https://github.com/Luzifer/git-credential-vault/releases/download/v0.1.0/git-credential-vault_linux_amd64.tar.gz" | tar -xz -C /usr/bin \
&& mv /usr/bin/git-credential-vault_linux_amd64 /usr/bin/git-credential-vault \
&& git config --global credential.helper 'vault --vault-path-prefix secret/git-credentials'RUN set -ex \
&& git clone https://github.com/myuser/secretrepo.git /src
``````console
# docker build --build-arg VAULT_ADDR=${VAULT_ADDR} --build-arg VAULT_TOKEN=${VAULT_TOKEN} --no-cache .
```### Dockerfile example (go install)
In this example the `VAULT_TOKEN` is passed in through a build-arg which means you **MUST** revoke the token before pushing the image, otherwise you will be leaking an active credential!
```Dockerfile
FROM golang:alpineARG VAULT_ADDR
ARG VAULT_TOKENRUN set -ex \
&& apk --no-cache add git \
&& go install github.com/Luzifer/git-credential-vault@latest \
&& git config --global credential.helper 'vault --vault-path-prefix secret/git-credentials'RUN set -ex \
&& go get -v github.com/myuser/secretrepo
``````console
# docker build --build-arg VAULT_ADDR=${VAULT_ADDR} --build-arg VAULT_TOKEN=${VAULT_TOKEN} --no-cache .
```