Skip to content

Instantly share code, notes, and snippets.

@steve-jansen
Last active June 7, 2024 03:30
Show Gist options
  • Save steve-jansen/011e15c56ffdcb1860b664f85e2151af to your computer and use it in GitHub Desktop.
Save steve-jansen/011e15c56ffdcb1860b664f85e2151af to your computer and use it in GitHub Desktop.
HashiCorp Vault Token Helper using the OS X Keychain
token_helper = "/Users/me/.vault-helper"
#!/bin/bash
if [[ -z "${VAULT_ADDR}" ]]; then
echo 'vault-helper: missing env var VAULT_ADDR' >&2
exit 1
fi
fqdn=$(ruby -ruri -e "puts URI.parse('$VAULT_ADDR').host")
token=$(cat /dev/stdin)
case "$1" in
get)
printf $(/usr/bin/security \
find-internet-password \
-w \
-s "${fqdn}" \
-d "${VAULT_ADDR}" \
~/Library/Keychains/login.keychain)
exit 0
;;
store)
if [[ -z "${token}" ]]; then
echo 'vault-helper: missing token value' >&2
exit 2
fi
/usr/bin/security \
add-internet-password \
-a "${USER}" \
-s "${fqdn}" \
-d "${VAULT_ADDR}" \
-w "${token}" \
-U \
~/Library/Keychains/login.keychain
;;
erase)
/usr/bin/security \
delete-internet-password \
-a "${USER}" \
-s "${fqdn}" \
-d "${VAULT_ADDR}" \
~/Library/Keychains/login.keychain
;;
*)
echo "usage: vault-helper (get|set|erase)" >2
exit 3
;;
esac

HashiCorp Vault Token Helper using the OS X Keychain

Uses the OS X Keychain to save the token created by vault auth. This replaces the default behavior to save the token to a ~/.vault-token on disk.

The helper will use the $VAULT_ADDR environmental variable as the name of the Keychain item to read/write.

Tested with Ruby 2.3.1p11 and Vault v0.6.2.

Getting Started

  1. Save the Ruby script to a path like ~/.vault-helper

  2. Create/update your ~/.vault config file to include the line token_helper = "/Users/me/.vault-helper". Note this requires a fully qualified path to the script created in step 1; relative paths like ~/.vault-helper or ./vault-helper will not work with the vault client.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment