This package implements platform.SecretService
using vault.
All secrets are stored in vault as key value pairs that can be found under
the key /secret/data/:orgID
.
For example
/secret/data/031c8cbefe101000 ->
github_api_key: foo
some_other_key: bar
a_secret: key
When a new secret service is instatiated with vault.NewSecretService()
we read the
environment for the standard vault environment variables.
It is expected that the vault provided is unsealed and that the VAULT_TOKEN
has sufficient privileges to access the key space described above.
The vault secret service may be used by starting a vault server
vault server -dev
VAULT_ADDR='<vault address>' VAULT_TOKEN='<vault token>' influxd --secret-store vault
Once the vault and influxdb servers have been started and initialized, you may test the service by executing the following:
curl --request GET \
--url http://localhost:9999/api/v2/orgs/<org id>/secrets \
--header 'authorization: Token <authorization token>
# should return
#
# {
# "links": {
# "org": "/api/v2/orgs/031c8cbefe101000",
# "secrets": "/api/v2/orgs/031c8cbefe101000/secrets"
# },
# "secrets": []
# }
curl --request PATCH \
--url http://localhost:9999/api/v2/orgs/<org id>/secrets \
--header 'authorization: Token <authorization token> \
--header 'content-type: application/json' \
--data '{
"foo": "bar",
"hello": "world"
}'
# should return 204 no content
curl --request GET \
--url http://localhost:9999/api/v2/orgs/<org id>/secrets \
--header 'authorization: Token <authorization token>
# should return
#
# {
# "links": {
# "org": "/api/v2/orgs/031c8cbefe101000",
# "secrets": "/api/v2/orgs/031c8cbefe101000/secrets"
# },
# "secrets": [
# "foo",
# "hello"
# ]
# }