@twentyfourg/vault-dotenv
Create .env
file from Vault.
Usage
npm i -g @twentyfourg/vault-dotenv
vault-dotenv /kv/secret/path
Options
-
-o, --override-file [file]
: File containing values to override the retreived Vault values. -
-f, --out-file [file]
: Name of the generated env file. Defaults to '.env'. -
-l, --login
: Log into Vault -
-a, --vault-addr [address]
: Address to your Vault server. Defaults to process.env.VAULT_ADDR || http://127.0.0.1:8200 -
-e, --env-file [file]
: .env file that should parsed to set enviornment variables for this run.
Overrides
The -o
or --override-file
flag can be used to specify a file with env formated (key=value) variables that will override any colliding values retrieved from Vault.
# Content from override (.env.override)
foo=bar
# Content from Vault (/kv/1234/dev/secret)
foo=baz
bar=rag
vault-dotenv -o .env.override /kv/1234/dev/secret
# Results in
foo=bar
bar=rag
Environment Variables
Environment variables can used to fullfil some input values when running vault-dotenv
. These environment variables can be set outside the purview of vault-dotenv
or you can pass a environment variable file which vault-dotenv
fill parse and use when creating the .env file. You can configure this with the -e
or --env-file
flag.
Vault address: VAULT_ADDR
Vault Token: VAULT_TOKEN
Vault secret path; SECRET_PATH
# Env file to parse (.env.example)
SECRET_PATH=/kv/secret/foo
# Generate env from secret /kv/secret/foo
vault-dotenv -e .env.example
Output File
By default vault-dotenv
generates a .env file called .env
. You can change this to be any value with the -f
or --out-file
flag.
vault-dotenv -f .env.fancycat kv/796-11/dev/backend-infrastructure-secrets
ll
.env.fancycat
vault-dotenv -f /tmp/.env.fancycat kv/796-11/dev/backend-infrastructure-secrets
ll /tmp
.env.fancycat
Lambda Extension
You can use the Lambda Extension to inject environment variables from Vault. The extension uses the @twentyfourg/vault-dotenv
binaries to generate a .env
file in Lambda function's /tmp
directory. It then automatically loads those environment variables using a custom Lambda Execution Wrapper Script.
The extension uses the AWS auth method that is implemented in the underlying @twentyfourg/cloud-sdk
package.
Environment Variables:
-
SECRET_PATH
(Required): Vault secret path. -
VAULT_ROLE
(Required): The VAULT AWS auth method role to use to authenticate. -
VAULT_ADDR
(Required): The endpoint for your Vault server. -
AWS_LAMBDA_EXEC_WRAPPER
(Optional): If you want the extension to automatically load the environment variables located in/tmp/.env
. When enabled, the value must be/opt/bin/wrapper
. -
VAULT_ENV_OUTPUT_FILE
(Optional): Where the env file should created. Defaults to/tmp/.env
-
VAULT_ENV_EXTENSION_NAME
(Optional): The name of the extension. Defaults tovault-dotenv
. This value must be equal to name of the extension.
arn:aws:lambda:<region>:033632814797:layer:vault-dotenv:<>
See release page for latest Layer version