vault_resolve_secrets: Resolve secrets from R objects

View source: R/vault_resolve_secrets.R

vault_resolve_secretsR Documentation

Resolve secrets from R objects


Use vault to resolve secrets. This is a convenience function that wraps a pattern that we have used in a few applications of vault. The idea is to allow replacement of data in configuration with special strings that indicate that the string refers to a vault secret. This function resolves those secrets.


vault_resolve_secrets(x, ..., login = TRUE, vault_args = NULL)



List of values, some of which may refer to vault secrets (see Details for pattern). Any values that are not strings or do not match the pattern of a secret are left as-is.


Args to be passed to vault_client call.


Login method to be passed to call to vault_client.


As an alternative to using login and ..., a list of (named) arguments can be provided here, equivalent to the full set of arguments that you might pass to vault_client. If provided, then login is ignored and if additional arguments are provided through ... an error will be thrown.


For each element of the data, if a string matches the form:

  VAULT:<path to secret>:<field>

then it will be treated as a vault secret and resolved. The ⁠<path to get>⁠ will be something like ⁠/secret/path/password⁠ and the ⁠<field>⁠ the name of a field in the key/value data stored at that path. For example, suppose you have the data list(username = "alice", password = "s3cret!") stored at ⁠/secret/database/user⁠, then the string


would refer to the value ⁠s3cret!⁠


List of properties with any vault secrets resolved.


server <- vaultr::vault_test_server(if_disabled = message)

if (!is.null(server)) {
  client <- server$client()
  # The example from above:
               list(username = "alice", password = "s3cret!"))

  # A list of data that contains a mix of secrets to be resolved
  # and other data:
  x <- list(user = "alice",
            password = "VAULT:/secret/database/user:password",
            port = 5678)

  # Explicitly pass in the login details and resolve the secrets:
  vaultr::vault_resolve_secrets(x, login = "token", token = server$token,
                                addr = server$addr)

  # Alternatively, if appropriate environment variables are set
  # then this can be done more easily:
  if (requireNamespace("withr", quietly = TRUE)) {
    env <- c(VAULTR_AUTH_METHOD = "token",
             VAULT_TOKEN = server$token,
             VAULT_ADDR = server$addr)
    withr::with_envvar(env, vault_resolve_secrets(x))

vimc/vaultr documentation built on Nov. 11, 2023, 8:21 a.m.