talebearer

noun

A person who spreads scandal or tells secrets; gossip

Note

This code is not being actively developed, and has not seen substantial change for more than 2 years. It was in use in production for a period of about 2 years, but has since been replaced by another tool (not based on Hashicorp Vault). I am publishing it here as a reference for others.

What this app does

Talebearer takes an input properties file, reads any secret placeholder values from Vault, and writes the resulting properties map to an output properties file.

Secret placeholders are denoted by {{ }}, i.e. double curly braces). Talebearer queries vault for the path given within the braces. If a secret is found, it will replace the value with that from Vault, otherwise, it will replace the path with an error message.

The path within the braces is of the form path/to/secret!key, i.e. vault write secret/example foo=bar would be referenced by secret/example!foo.

Examples

For the following properties file:

foo={{ secret/example!foo }}
key1=value1

And the following in vault:

vault write secret/example foo=bar

The output properties file should contain:

foo=bar
key1=value1

Usage

Ensure the vault client environment variables are set, e.g:

export VAULT_ADDR=http://127.0.0.1:8200
export VAULT_TOKEN=d1bc686b-b987-3773-ad7d-15655cb833f4

talebearer -input-file ./examples/example.properties -output-file ./test.properties