These scripts provide a simple way of switching between different instances of Hashicorp Vault. Once integrated into someone's Bash dotfiles setup, it should keep some environment variables up to date. A key assumption made by this script is that the shell environment it is installed in has a function similar to PS1_COMMAND which runs each time the shell is generated. As the VAULT_ADDR is not stored in any files, this environment variable must be kept up to date.
Clone this repository somewhere comfortable on your workstation. There are two environment variables which configure the scripts. Define these as you wish and then source the init.sh script in your .profile.
HCVSWITCH_PATHpoints to the location you cloned this repositoryHCVSWITCH_CONFIGpoints to a yaml file containing your Vault configuration. This is optional and defaults to~/.hcv.yml.
export HCVSWITCH_PATH="${HOME}/src/hcvswitch"
export HCVSWITCH_CONFIG="${HOME}/.hcv.yml"
. "${HCVSWITCH_PATH}/init.sh"
There is an additional component that must be eval'd in the PS1_COMMAND context. This ensures that the Vault configuration is transparently known across terminals. Along with the various Vault environment variables, the HCV_ENV environment variable will be set to the name of the current Vault account. You can then use this to include the Vault environment in your PS1 variable.
eval $("${HCVSWITCH_PATH}/hcvswitch.sh" eval)
The Vault configuration is stored in a simple yaml file. It is a list of config entries prefixed by a comment with the name of the Vault environment. The comment is the name referenced when switching Vault accounts. Note that only id and url are required. The values of ignore_ssl and sni have sensible defaults. You can also specify some authenticaiton hints with auth_user and auth_method.
#my-vault
- id: my-vault
url: http://vault.example.com/
ignore_ssl: false
sni: vault.example.com
auth_user: nobody
auth_method: userpass
The inclusion of the init.sh script will keep some Vault related environment variables updated.
VAULT_ADDRWill be set to the currenturlfor the active Vault environment.VAULT_SKIP_ADDRWill be set to0or1depending on thetrue/falsesetting of theignore_sslfor the active Vault environment.VAULT_TLS_SERVER_NAMEwill be set to either the value of thesnisetting, or the hostname portion of theVAULT_ADDR.HCV_ENVwill be set to the name of the current hcvswitch profile.
Once you have initialized the script in your .profile usage is straight forward. Simply make use of the hcvswitch function and reference one of the Vault instances in your YAML configuration. This will cause your current terminal context to be re-initialized. Note that other terminals will not be re-initialized until the next time the PS1_COMMAND context is evaluated. You can also use the hcvlist function to display the different Vault instances.
$ hcvlist
test1
test2
$ hcvswitch test1
$ echo $VAULT_ADDR
http://localhost:8200
$ hcvswitch test2
$ echo $VAULT_ADDR
http://localhost:8201
There is also a simple Vault authentication helper for the LDAP and userpass backends. This will associate a auth method and username with a profile. If you have set both auth_user and auth_method for a profile, the hcvauth command will initiate a vault auth request.
The hcvswitch tool was created by Jonathan Freedman.