The latest articles on Forem by Josh Dvir (@joshdvir). https://forem.com/joshdvir https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F190610%2F10facd32-ee1d-4883-b581-0e71381e05d9.jpeg https://forem.com/joshdvir en Josh Dvir Fri, 10 Jan 2020 18:51:45 +0000 https://forem.com/joshdvir/provide-environment-variables-to-your-applications-in-a-secure-way-4f33 https://forem.com/joshdvir/provide-environment-variables-to-your-applications-in-a-secure-way-4f33 <p>These days even the smallest of startups have multiple applications (microservices), each application has its own needs, but common to all applications is they all have secrets they need to function correctly.<br> To all my clients, I recommend using <a href="https://www.vaultproject.io/">Vault</a> by Hashicorp to keep their secrets safe.</p> <h3> What is Vault? </h3> <p>"Secure, store, and tightly control access to tokens, passwords, certificates, encryption keys for protecting secrets and other sensitive data using a UI, CLI, or HTTP API." <a href="https://www.vaultproject.io/">(from their website)</a></p> <p><strong>Why do people sometimes need convincing?</strong></p> <p>Most of the responses I get trying to implement such a service are</p> <ul> <li>We do not need such a service</li> <li>It will take too much time to apply, and it's time we don't have.</li> </ul> <p>To help our clients implement the solution in a secure, quick way, we created a small Golang application that connects to Vault and pulls the secrets exposing them as environment variables.</p> <p>I know it sounds simple; it is!</p> <p>The application is <a href="https://github.com/devops-israel/vault-get">vault-get</a>.</p> <h3> How to use <a href="https://github.com/devops-israel/vault-get">vault-get</a>: </h3> <p>All our applications are Docker-based so when we create the Docker image we install <a href="https://github.com/devops-israel/vault-get">vault-get</a> into the container for use:</p> <div class="highlight"><pre class="highlight plaintext"><code>FROM SomeBaseImage ADD https://github.com/devops-israel/vault-get/releases/download/v1.0.0/vault-get-linux-amd64 /usr/bin/vault-get-linux-amd64 RUN chmod +x /usr/bin/vault-get-linux-amd64 \ &amp;&amp; mv /usr/bin/vault-get-linux-amd64 /usr/bin/vault-get WORKDIR /app </code></pre></div> <p><code>Add</code>ing the executable is downloading it and give it the right permissions.</p> <p>Then all you need to do is expose the configuration and <a href="https://github.com/devops-israel/vault-get">vault-get</a> will fetch the secret and expose them as environment variables.</p> <h3> Usage Examples </h3> <div class="highlight"><pre class="highlight plaintext"><code># Using a token auth (--vault_auth token does not need to be set explicitly): eval "$(vault-get --vault_host https://vault.example.com --vault_token mytoken --vault_path secret/my-secret)" # Doing the same with a user and password authentication: eval "$(vault-get --vault_host https://vault.example.com --vault_auth userpass --vault_username user --vault_password pass --vault_path secret/my-secret)" </code></pre></div> <p><a href="https://github.com/devops-israel/vault-get">vault-get</a> has been in production for over 6 months and it helps us provide secure secret injection from Vault to our applications without any need to interact with the application, the app itself gets the environment variables it needs, it's just not aware of the provider 😉</p> <p>A significant benefit we got from moving to Vault was the fact that the Devops team is not a bottleneck anymore, now developers can add the secrets their applications need by themselves, we'll talk about permissions on another post.</p> <p>Either you need a tool like <a href="https://github.com/devops-israel/vault-get">vault-get</a> or not, securing your secrets is the best practice you can take.</p> <p>Good Luck!</p> vault docker security go