Stream secrets from Vault into process environments without writing to disk.
go install github.com/yourname/vaultpipe@latestOr download a pre-built binary from the releases page.
vaultpipe [flags] -- <command>Example: Run a server with database credentials injected from Vault:
vaultpipe \
--addr https://vault.example.com \
--path secret/data/myapp/db \
-- ./serverSecrets at the specified path are resolved and injected as environment variables into the child process. Nothing is written to disk.
| Flag | Description | Default |
|---|---|---|
--addr |
Vault server address | $VAULT_ADDR |
--token |
Vault token | $VAULT_TOKEN |
--path |
Secret path to read | (required) |
--prefix |
Prefix for injected env vars | (none) |
--mount |
KV secrets engine mount path | secret |
Authentication falls back to standard Vault environment variables (VAULT_ADDR, VAULT_TOKEN, VAULT_ROLE_ID, etc.) if flags are not provided.
- Authenticates with Vault using the provided credentials
- Fetches secrets from the specified path
- Merges secrets into the current environment
- Executes the given command via
execve— no subprocess, no temp files
You can specify --path more than once to inject secrets from multiple Vault paths. If the same key exists in multiple paths, the last one wins:
vaultpipe \
--addr https://vault.example.com \
--path secret/data/myapp/db \
--path secret/data/myapp/api \
-- ./serverMIT © yourname