HCP Vault Secrets
chezmoi includes support for HCP Vault Secrets using the vlt CLI to
expose data through the hcpVaultSecret and hcpVaultSecretJson template
functions.
Log in using:
vlt login
The output of the vlt secrets get --plaintext $SECRET_NAME is available as the
hcpVaultSecret function, for example:
{{ hcpVaultSecret "secret_name" "application_name" "project_id" "organization_id" }}
You can set the default values for the application name, project ID, and organization ID in your config file, for example:
[hcpVaultSecrets]
organizationId = "bf479eab-a292-4b46-92df-e22f5c47eadc"
projectId = "5907a2fa-d26a-462a-8705-74dfe967e87d"
applicationName = "my-application"
With these default values, you can omit them in the call to hcpVaultSecret,
for example:
{{ hcpVaultSecret "secret_name" }}
{{ hcpVaultSecret "other_secret_name" "other_application_name" }}
Structured data from vlt secrets get --format=json $SECRET_NAME is available
as the hcpVaultSecretJson template function, for example:
{{ (hcpVaultSecretJson "secret_name").created_by.email }}
vlt vs hcp: Upgrades that Break
Hashicorp has ended support for the vlt CLI tool (September 2024) and
recommends migrating to the hcp CLI. Unfortunately, the new command
does not work like vlt, rendering hcpVaultSecret and
hcpVaultSecretJson inoperable when using the recommended command-line tool.
Contributions to create new integrations for HCP Vault Secrets are
welcome.
Without these integrations, anyone using HCP Vault Secrets that must upgrade to
the hcp client are recommended to use the output and
fromJson functions together:
{{- $app_name := "my-app-name" -}}
{{- $secret_name := "gdrive-secrets" -}}
{{- $secret :=
output "hcp" "vs" "s" "open" "--format" "json" "--app" $app_name $secret_name
| fromJson -}}
[GDrive]
type = drive
client_secret = {{ $secret.static_version.value }}
$HCP_CLIENT_ID and $HCP_CLIENT_SECRET must be set and exported for use in
chezmoi for the above template to work.
See issue #4146 for more details.