Skip to content

Commit

Permalink
Docs
Browse files Browse the repository at this point in the history
  • Loading branch information
Joachim Jablon committed Jun 2, 2021
1 parent 2474b1b commit f9b3d78
Show file tree
Hide file tree
Showing 2 changed files with 11 additions and 6 deletions.
5 changes: 5 additions & 0 deletions docs/howto/read.rst
View file
Original file line number Diff line number Diff line change
Expand Up @@ -74,6 +74,11 @@ can write the secret to a specific file:
with ways to write on ephemeral storage, and check your umask__ and the permissions
of the created file. See :ref:`SystemD` for safe integration strategies.

.. note::

``vault-cli env`` also allows you to write secrets to a file just before launching
an arbitrary command.

.. __: https://en.wikipedia.org/wiki/Umask


Expand Down
12 changes: 6 additions & 6 deletions docs/howto/systemd.rst
View file
Original file line number Diff line number Diff line change
Expand Up @@ -97,8 +97,8 @@ Save and quit the file. Load you new configuration file with:
$ sudo systemctl daemon-reload
$ sudo systemctl restart myprogram.service
Writing a single secret to a file before start
----------------------------------------------
Writing secrets to files on the filesystem before start
-------------------------------------------------------

In some cases, you will need to have a file in the filesystem that
contains directly the secret. This is often the case with private keys.
Expand All @@ -110,16 +110,16 @@ be written on disk.

.. __: https://en.wikipedia.org/wiki/RAM_drive

In this case, we’ll also create a service override file, but this time,
we will be adding a command that launches before our main command:
In this case, we’ll also create a service override file. We'll add a wrapper
arount our program like before.

.. code:: console
$ sudo systemctl edit myprogram.service
# opens a new file for edition
[Service]
TemporaryFileSystem=/private
ExecStartPre=vault-cli get mysecret --output=/private/path/to/secret/file
ExecStart=vault-cli env --file mysecret:key=/private/path/to/secret/file -- myprogram --options
Save and quit the file. Load your new configuration file with:

Expand All @@ -131,7 +131,7 @@ Save and quit the file. Load your new configuration file with:
You will need to configure ``myprogram`` to look for your
secret file at ``/private/path/to/secret/file``.

If you need several files, you can repeat the ``ExecStartPre`` line as
If you need several files, you can add more ``--file`` options, as
many times as needed.

.. note::
Expand Down

0 comments on commit f9b3d78

Please sign in to comment.