Thanks to visit codestin.com
Credit goes to github.com

Skip to content

akrusako/vaultpipe

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

64 Commits
 
 
 
 
 
 
 
 
 
 

Repository files navigation

vaultpipe

Stream secrets from Vault into process environments without writing to disk.


Installation

go install github.com/yourname/vaultpipe@latest

Or download a pre-built binary from the releases page.


Usage

vaultpipe [flags] -- <command>

Example: Run a server with database credentials injected from Vault:

vaultpipe \
  --addr https://vault.example.com \
  --path secret/data/myapp/db \
  -- ./server

Secrets at the specified path are resolved and injected as environment variables into the child process. Nothing is written to disk.

Flags

Flag Description Default
--addr Vault server address $VAULT_ADDR
--token Vault token $VAULT_TOKEN
--path Secret path to read (required)
--prefix Prefix for injected env vars (none)
--mount KV secrets engine mount path secret

Authentication falls back to standard Vault environment variables (VAULT_ADDR, VAULT_TOKEN, VAULT_ROLE_ID, etc.) if flags are not provided.


How It Works

  1. Authenticates with Vault using the provided credentials
  2. Fetches secrets from the specified path
  3. Merges secrets into the current environment
  4. Executes the given command via execve — no subprocess, no temp files

Multiple Paths

You can specify --path more than once to inject secrets from multiple Vault paths. If the same key exists in multiple paths, the last one wins:

vaultpipe \
  --addr https://vault.example.com \
  --path secret/data/myapp/db \
  --path secret/data/myapp/api \
  -- ./server

License

MIT © yourname

About

CLI tool to stream secrets from Vault into process environments without writing to disk

Resources

Stars

0 stars

Watchers

0 watching

Forks

Releases

No releases published

Packages

 
 
 

Contributors

Languages