From a7a0c28261c58e18efb49ce730c9a1ce61d94760 Mon Sep 17 00:00:00 2001 From: Joachim Jablon Date: Wed, 2 Jun 2021 17:49:30 +0200 Subject: [PATCH] Docs --- docs/howto/read.rst | 5 +++++ docs/howto/systemd.rst | 21 +++++++++++++++------ 2 files changed, 20 insertions(+), 6 deletions(-) diff --git a/docs/howto/read.rst b/docs/howto/read.rst index 67bc231..821169b 100644 --- a/docs/howto/read.rst +++ b/docs/howto/read.rst @@ -74,6 +74,11 @@ can write the secret to a specific file: with ways to write on ephemeral storage, and check your umask__ and the permissions of the created file. See :ref:`SystemD` for safe integration strategies. +.. note:: + + ``vault-cli env`` also lets you to write secrets to a file just before launching + an arbitrary command. + .. __: https://en.wikipedia.org/wiki/Umask diff --git a/docs/howto/systemd.rst b/docs/howto/systemd.rst index a4da671..3f74aee 100644 --- a/docs/howto/systemd.rst +++ b/docs/howto/systemd.rst @@ -97,8 +97,8 @@ Save and quit the file. Load you new configuration file with: $ sudo systemctl daemon-reload $ sudo systemctl restart myprogram.service -Writing a single secret to a file before start ----------------------------------------------- +Writing secrets to files on the filesystem before start +------------------------------------------------------- In some cases, you will need to have a file in the filesystem that contains directly the secret. This is often the case with private keys. @@ -110,8 +110,8 @@ be written on disk. .. __: https://en.wikipedia.org/wiki/RAM_drive -In this case, we’ll also create a service override file, but this time, -we will be adding a command that launches before our main command: +In this case, we’ll also create a service override file. We'll add a wrapper +arount our program like before. .. code:: console @@ -119,7 +119,7 @@ we will be adding a command that launches before our main command: # opens a new file for edition [Service] TemporaryFileSystem=/private - ExecStartPre=vault-cli get mysecret --output=/private/path/to/secret/file + ExecStart=vault-cli env --file mysecret:key=/private/path/to/secret/file -- myprogram --options Save and quit the file. Load your new configuration file with: @@ -131,7 +131,7 @@ Save and quit the file. Load your new configuration file with: You will need to configure ``myprogram`` to look for your secret file at ``/private/path/to/secret/file``. -If you need several files, you can repeat the ``ExecStartPre`` line as +If you need several files, you can add more ``--file`` flags, as many times as needed. .. note:: @@ -143,6 +143,15 @@ many times as needed. Bake secrets into a complex configuration file ---------------------------------------------- +.. warning:: + + It's been reported__ that this approach doesn't work as intended. It's left + for inspiration, but as of today, ``ExecStartPre`` cannot write to the + private filesystem created by ``TemporaryFileSystem`` in way that ``ExecStart`` + can later read. Please refer to the ticket for workarounds. + + .. __: https://github.com/peopledoc/vault-cli/issues/185 + In some cases, the program you want to launch doesn’t accept configuration through environment but only through configuration files. You could be tempted to use the method above, but the configuration file