This tool is designed to act as glue between a Trusted Third Party & Hashicorp Vault. The target use case is with consul-template.
The only supported Trusted Third Party is currently AWS IAM.
| Command Argument | Environment Variable | Default | Description |
|---|---|---|---|
-role= |
IV_ROLE |
nil |
Role to request from Vault |
-aws_arn_role= |
IV_AWS_ARN_ROLE |
nil |
ARN of AWS role to use for auth payload for Vault |
-aws_role= |
IV_AWS_ROLE |
nil |
AWS role to use for auth payload for Vault - it uses the current account's credentials to build the ARN |
-vault_addr= |
IV_VAULT_ADDR |
nil |
Vault address |
-wrap_token_ttl= |
IV_WRAP_TOKEN_TTL |
5m |
TTL for wrapped token, to disable wrapping set to 0 |
export VAULT_ADDR=https://vault.contoso.com
export VAULT_TOKEN=$(vault-vouch -role="my-role")
consul-template -template "in.tpl:out.conf" -config "conf.hcl" -vault-unwrap-token -vault-renew-token=false