vault-go-client

Under Development

This is a Golang client for Vault which was primarily used for Riot's AWS temporary key generation utility, KeyConjurer. It is no longer under development. You are suggested to use the official Hashicorp Vault SDK instead, or consider factoring your programs such that they are unaware of Vault entirely.

Supported Auth Methods

• ✔️ IAM
• ✔️ AppRole
• ✔️ LDAP
• ✔️ Token
• k8s (coming soon)

Supported Secret Stores

• ✔️ KV2

Usage

To retrieve this package run:

go get github.com/riotgames/vault-go-client

Creating a Client

The following will create a client with default configuration:

import vault "github.com/riotgames/vault-go-client"
...

// Uses VAULT_ADDR env var to set the clients URL
client, err := vault.NewClient(vault.DefaultConfig())

if err != nil {
    log.Fatal(err.Error())
}
...

Putting a Secret into Vault

The following will put a secret into Vault:

secretMap := map[string]interface{}{
    "hello": "world",
}

if _, err = client.KV2.Put(vault.KV2PutOptions{
	MountPath:  secretMountPath,
	SecretPath: secretPath,
	Secrets:    secretMap,
}); err != nil {
	log.Fatal(err.Error())
}

Retrieving a Secret from Vault

Unmarshaling Approach

This approach unmarshals the secret from Vault into the provided struct. The embedded struct vault.SecretMetadata is optional.

type Secret struct {
	Hello string `json:"hello"`
	vault.SecretMetadata
}
...
secret := &Secret{}

if _, err = client.KV2.Get(vault.KV2GetOptions{
	MountPath:     secretMountPath,
	SecretPath:    secretPath,
	UnmarshalInto: secret,
}); err != nil {
	log.Fatal(err.Error())
}
fmt.Printf("%v\n", secret)

Raw Secret Approach

This approach returns a Secret defined in github.com/hashicorp/vault/api.

secret, err := client.KV2.Get(vault.KV2GetOptions{
	MountPath:  secretMountPath,
	SecretPath: secretPath,
})

if err != nil {
	log.Fatal(err.Error())
}