Support providing a different path for the internal token helper than ~/.vault-token (patch included)

[bendem]

Is your feature request related to a problem? Please describe.
Passing a VAULT_TOKEN environment variable is counterproductive to security, vault supports reading the token from a file, but the path is not configurable without writing a full token helper.

Describe the solution you'd like
It feels like 80% of the use for external token helpers is just having the file somewhere else. Introducing an environment variable would alleviate that need and work with most secret providing tools (docker secrets for one).

I'm not a go dev, but I believe this patch would work for this:

From 4b17f815b8acd489fa9eaa404516c57ee25d1754 Mon Sep 17 00:00:00 2001
From: Benjamin Demarteau <[email protected]>
Date: Thu, 20 Apr 2023 11:13:27 +0200
Subject: [PATCH] cli/token_helper: introduce VAULT_TOKEN_FILE env var to
 control the path to the default vault token file

---
 command/token/helper_internal.go | 20 ++++++++------------
 1 file changed, 8 insertions(+), 12 deletions(-)

diff --git a/command/token/helper_internal.go b/command/token/helper_internal.go
index aeb4faa9be..e97f4ecaee 100644
--- a/command/token/helper_internal.go
+++ b/command/token/helper_internal.go
@@ -21,21 +21,18 @@ var _ TokenHelper = (*InternalTokenHelper)(nil)
 // token-helper is configured, and avoids shelling out
 type InternalTokenHelper struct {
 	tokenPath string
-	homeDir   string
 }
 
 func NewInternalTokenHelper() (*InternalTokenHelper, error) {
-	homeDir, err := homedir.Dir()
-	if err != nil {
-		panic(fmt.Sprintf("error getting user's home directory: %v", err))
-	}
-	return &InternalTokenHelper{homeDir: homeDir}, err
-}
+	if tokenPath := os.Getenv("VAULT_TOKEN_FILE"); tokenPath != "" {
+		return &InternalTokenHelper{tokenPath: tokenPath}, nil
+	}
 
-// populateTokenPath figures out the token path using homedir to get the user's
-// home directory
-func (i *InternalTokenHelper) populateTokenPath() {
-	i.tokenPath = filepath.Join(i.homeDir, ".vault-token")
+		if homeDir, err := homedir.Dir(); err != nil {
+		panic(fmt.Sprintf("error getting user's home directory: %v", err))
+	}
+
+	return &InternalTokenHelper{tokenPath: filepath.Join(homeDir, ".vault-token")}, nil
 }
 
 func (i *InternalTokenHelper) Path() string {
@@ -44,7 +41,6 @@ func (i *InternalTokenHelper) Path() string {
 
 // Get gets the value of the stored token, if any
 func (i *InternalTokenHelper) Get() (string, error) {
-	i.populateTokenPath()
 	f, err := os.Open(i.tokenPath)
 	if os.IsNotExist(err) {
 		return "", nil
-- 
2.31.1

Describe alternatives you've considered
I could write yet another token helper, but it feels like it would benefit a lot of people to provide a builtin way to do this.

Explain any additional use-cases
It would probably interest people in #20272, #1937 #247 #2092 #7159.

[maxb]

It would probably interest people in #20272, #1937 #247 #2092 #7159.

#20272 is this issue - I think you meant #18359.

[Lillecarl]

I guess this competes with HashiCorps enterprise goals. Sadly I can't bubblewrap my way around this either since many developers are on MacOS 😢