2.0 KiB
2.0 KiB
Vault Secret Service
This package implements platform.SecretService using vault.
Key layout
All secrets are stored in vault as key value pairs that can be found under
the key /secret/data/:orgID.
For example
/secret/data/031c8cbefe101000 ->
github_api_key: foo
some_other_key: bar
a_secret: key
Configuration
When a new secret service is instatiated with vault.NewSecretService() we read the
environment for the standard vault environment variables.
It is expected that the vault provided is unsealed and that the VAULT_TOKEN has sufficient privileges to access the key space described above.
Test/Dev
The vault secret service may be used by starting a vault server
vault server -dev
VAULT_ADDR='<vault address>' VAULT_TOKEN='<vault token>' influxd --secret-store vault
Once the vault and influxdb servers have been started and initialized, you may test the service by executing the following:
curl --request GET \
--url http://localhost:8086/api/v2/orgs/<org id>/secrets \
--header 'authorization: Token <authorization token>
# should return
#
# {
# "links": {
# "org": "/api/v2/orgs/031c8cbefe101000",
# "secrets": "/api/v2/orgs/031c8cbefe101000/secrets"
# },
# "secrets": []
# }
curl --request PATCH \
--url http://localhost:8086/api/v2/orgs/<org id>/secrets \
--header 'authorization: Token <authorization token> \
--header 'content-type: application/json' \
--data '{
"foo": "bar",
"hello": "world"
}'
# should return 204 no content
curl --request GET \
--url http://localhost:8086/api/v2/orgs/<org id>/secrets \
--header 'authorization: Token <authorization token>
# should return
#
# {
# "links": {
# "org": "/api/v2/orgs/031c8cbefe101000",
# "secrets": "/api/v2/orgs/031c8cbefe101000/secrets"
# },
# "secrets": [
# "foo",
# "hello"
# ]
# }