Vault secrets as environment variables

Secrets-as-env & Secrets-as-file

Solution overview

Figure 1. Solution overview

Bank Vault — Webhook annotations

  • The vault-addr: that defines the service address of your Vaul Helm
  • The vault-role: Which is the service account / Vault rol name
  • The skip-verify: To avoid the TLS verification
  • The vault-path: Which is the secret location path in your vault
vault.security.banzaicloud.io/vault-addr: "https://vaultname:443"
vault.security.banzaicloud.io/vault-role: "patroni"
vault.security.banzaicloud.io/vault-skip-verify: "true"
vault.security.banzaicloud.io/vault-path: "secret/patroni"

Bank Vault — Loading secrets

env:
- name: DB_PASSWORD
value: vault:secret/data/db#DB_SECRET_KEY

How does it work?

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Josué Carvajal

Josué Carvajal

Sr. Security software engineer working in the DevSecOps area. CompTIA Sec+, C|EH