Support multiple Vault commandline client tokens #2092
Comments
mfischer-zd
changed the title
|
My research suggests that this feature won't be trivial to implement without breaking some interfaces. cracks knuckles |
|
Most users are using external tools like |
|
Hmm, that's not a bad idea. Investigating now. |
|
When a user authenticates via the CLI, the token is automatically saved in the user's home directory. This means the user can perform subsequent CLI operations immediately, without having to manipulate environment variables, as long as the issued token remains valid. Consider the case where a user re-authenticates to a Vault instance. Currently that's a pretty frictionless operation, since the Vault client will simply overwrite the existing So either another wrapper will be needed ( |
Where possible, store the user's token in `~/.vault-token-SUFFIX` for safekeeping, where `SUFFIX` is the first 8 hex digits of the SHA-256 hash of `host:port`. If that can't be found, fall back to the historical `~/.vault-token` location. Fixes hashicorp#2092
|
Our team would really like first class support for multiple vaults in the Vault CLI. It'd be ideal to have something akin to the aws cli's profiles. I imagine something like this: # ~/.vault/config.hcl
active_vault {
name = "staging"
}
vault "production" {
addr = "https://vault.production.example.com"
token = "abc123"
}
vault "staging" {
addr = "https://vault.staging.example.com"
token = "def456"
}Switching the active vault: Adding a new vault to the config file: $ vault profile create my-new-vault -addr=https://vault.whatever.example.com # new vault block added to config file
$ vault auth # token gets added to vault block in config file for the active vaultExplicitly specify the profile for a command: $ vault -profile=staging read secret/foo/bar |
|
@jimmycuadra It's not documented super well but the CLI can invoke an external token-helper to provide a token, which could potentially look at e.g. env vars to decide which token to return. |
|
Another example of using a CLI like this to target multiple instances of a server-side tool that I think is done really well is Kubernetes's kubeconfig format, which is consumed by |
|
Just here to voice my opinion that having first-class support for multiple vault instances / profiles / tokens would be really nice. I connect to seven different vault addresses each day. Regularly. Currently, I create a tmux window for each organization, and within the non-ephemeral panes I spawn I set quote @jefferai:
This is still putting the responsibility for managing multiple profiles on the user (or external third party), and isn't really a great solution. |
catsby
added
feature-request
core
|
There's a Ruby token helper example in the docs. This works exactly as I'd like, except that |
|
I would really like to see a solution to this. Our organization has a large number of clusters, and I get super frustrated with having What obstacles exist for implementing something similar to Kubernetes' context abstraction for the Vault CLI? |
|
I feel that this request should be closed as there are already several solutions for managing multiple Vault instances directly on shell with alias v1='VAULT_ADDR=https://...:8200 VAULT_TOKEN="..." vault' ;
alias v2='VAULT_ADDR=https://...:8200 VAULT_TOKEN="..." vault' ;
v1 status ;
v2 status ;There's also other utilities out there that could be of interest like: IMO - other major consideration why this request may not be possible - is the isolation expected with each cluster - and so if the expectation with delivering this request is that CLI should have awareness of two separate context where one could copy from A to B cluster (secrets, etc) then that can itself be seen as leaving gaps for impression of functionality that should not be possible by design. @mfischer-zd I'm keen to hear if you've considered these options and how this may still be relevant for you. PS - seems related to #7159. |
Currently Vault can only manage one local vault token in
$HOME/.vault-token. Users at larger sites will likely interact with multiple Vault instances, so it would be useful for Vault to load and save tokens in a file like$HOME/.vault-token-$HASH, where$HASHis a hash (or a prefix thereof) of the remote URL.For example, if
VAULT_ADDR=https://vault.example.com:8200, then the token would be saved to, and loaded from,$HOME/.vault-token-b5852784. (This is based on a SHA-256 hash, using the first 8 significant digits.)$HOME/.vault-tokencould still be used to fall back if no URL-specific token file is available.The text was updated successfully, but these errors were encountered: