@twentyfourg/vault-dotenv v3.1.0

@twentyfourg/vault-dotenv

Create .env file from Vault.

Usage

npm i -g @twentyfourg/vault-dotenv

vault-dotenv /kv/secret/path

Options

• -o, --override-file [file]: File containing values to override the retreived Vault values.
• -f, --out-file [file]: Name of the generated env file. Defaults to '.env'.
• -l, --login: Log into Vault
• -a, --vault-addr [address]: Address to your Vault server. Defaults to process.env.VAULT_ADDR || http://127.0.0.1:8200
• -e, --env-file [file]: .env file that should parsed to set enviornment variables for this run.

Overrides

The -o or --override-file flag can be used to specify a file with env formated (key=value) variables that will override any colliding values retrieved from Vault.

# Content from override (.env.override)
foo=bar

# Content from Vault (/kv/1234/dev/secret)
foo=baz
bar=rag

vault-dotenv -o .env.override /kv/1234/dev/secret

# Results in
foo=bar
bar=rag

Environment Variables

Environment variables can used to fullfil some input values when running vault-dotenv. These environment variables can be set outside the purview of vault-dotenv or you can pass a environment variable file which vault-dotenv fill parse and use when creating the .env file. You can configure this with the -e or --env-file flag.

Vault address: VAULT_ADDR Vault Token: VAULT_TOKEN Vault secret path; SECRET_PATH

# Env file to parse (.env.example)
SECRET_PATH=/kv/secret/foo

# Generate env from secret /kv/secret/foo
vault-dotenv -e .env.example

Output File

By default vault-dotenv generates a .env file called .env. You can change this to be any value with the -f or --out-file flag.

vault-dotenv -f .env.fancycat kv/796-11/dev/backend-infrastructure-secrets

ll
.env.fancycat


vault-dotenv -f /tmp/.env.fancycat kv/796-11/dev/backend-infrastructure-secrets
ll /tmp
.env.fancycat

Lambda Extension

You can use the Lambda Extension to inject environment variables from Vault. The extension uses the @twentyfourg/vault-dotenv binaries to generate a .env file in Lambda function's /tmp directory. It then automatically loads those environment variables using a custom Lambda Execution Wrapper Script.

The extension uses the AWS auth method that is implemented in the underlying @twentyfourg/cloud-sdk package.

Environment Variables:

• SECRET_PATH (Required): Vault secret path.
• VAULT_ROLE (Required): The VAULT AWS auth method role to use to authenticate.
• VAULT_ADDR (Required): The endpoint for your Vault server.
• AWS_LAMBDA_EXEC_WRAPPER (Optional): If you want the extension to automatically load the environment variables located in /tmp/.env. When enabled, the value must be /opt/bin/wrapper.
• VAULT_ENV_OUTPUT_FILE (Optional): Where the env file should created. Defaults to /tmp/.env
• VAULT_ENV_EXTENSION_NAME (Optional): The name of the extension. Defaults to vault-dotenv. This value must be equal to name of the extension.

arn:aws:lambda:<region>:033632814797:layer:vault-dotenv:<>

See release page for latest Layer version