HashiCorp Vault Token Helper using the OS X Keychain

.vault

token_helper = "/Users/me/.vault-helper"

.vault-helper

#!/bin/bash

if [[ -z "${VAULT_ADDR}" ]]; then
  echo 'vault-helper: missing env var VAULT_ADDR' >&2
  exit 1
fi

fqdn=$(ruby -ruri -e "puts URI.parse('$VAULT_ADDR').host")
token=$(cat /dev/stdin)

case "$1" in
   get)
     printf $(/usr/bin/security \
       find-internet-password \
       -w \
       -s "${fqdn}" \
       -d "${VAULT_ADDR}" \
        ~/Library/Keychains/login.keychain)
    exit 0
    ;;
   store)
      if [[ -z "${token}" ]]; then
        echo 'vault-helper: missing token value' >&2
        exit 2
      fi
     /usr/bin/security \
       add-internet-password \
       -a "${USER}" \
       -s "${fqdn}" \
       -d "${VAULT_ADDR}" \
       -w "${token}" \
       -U \
        ~/Library/Keychains/login.keychain
    ;;
   erase)
     /usr/bin/security \
       delete-internet-password \
       -a "${USER}" \
       -s "${fqdn}" \
       -d "${VAULT_ADDR}" \
        ~/Library/Keychains/login.keychain
    ;;
  *)
    echo "usage: vault-helper (get|set|erase)" >2
    exit 3
    ;;
esac

README.md

HashiCorp Vault Token Helper using the OS X Keychain

Uses the OS X Keychain to save the token created by vault auth. This replaces the default behavior to save the token to a ~/.vault-token on disk.

The helper will use the $VAULT_ADDR environmental variable as the name of the Keychain item to read/write.

Tested with Ruby 2.3.1p11 and Vault v0.6.2.

Getting Started

1. Save the Ruby script to a path like ~/.vault-helper

2. Create/update your ~/.vault config file to include the line token_helper = "/Users/me/.vault-helper". Note this requires a fully qualified path to the script created in step 1; relative paths like ~/.vault-helper or ./vault-helper will not work with the vault client.