Vault is a secrets store created by HashiCorp.
It's convenient to store credentials for a servers/services infrastructure.
DcK I'm currently working on a Vault TCL client, probably to integrate to tcllib when more features are added: vault.tcl
Currently allows to login through AppRole with roleID and secretID and fetch a credential from KV v2.
::vault::readKV returns a dictionary with your credentials data ("data"), the Vault metadata ("metadata"). Since Vault 1.9 it's possible to store custom metadata, it's available in metadata under the custom_metadata key.
For oneshot configuration, the workflow is straighforward:
If you need to do so during the application lifecycle, the token can expire and you need to relogin:
package require vault proc vault_login {} { global vault ::vault::init $vault(host) ::vault::appRoleLogin $vault(roleID) $vault(secretID) } proc vault_get {property {key {}}} { if {[catch {set credential [::vault::readKV secrets/$property $key]} err]} { if {[string match "*403 Forbidden*" $err]} { # Token expired? vault_login return [::vault::readKV secrets/$property $key] } } return $credential }
In your software config, build a vault array then call vault_login:
set vault(host) localhost:8200 set vault(roleID) 00000000-0000-0000-0000-000000000000 set vault(secretID) 00000000-0000-0000-0000-000000000000 vault_login
And each time you need a credential, call vault_get to read the secret:
set sql_credentials [dict get [vault_get mysql] data] sql connect somehost [dict get $sql_credentials username] [dict get $sql_credentials password]