fnox

Appearance

HashiCorp Vault

HashiCorp Vault provides advanced secret management with dynamic secrets, leasing, and fine-grained access control.

Prerequisites

  • Vault server running (self-hosted or HCP Vault)
  • Vault CLI installed
  • Vault token with appropriate policies

Installation

bash
# macOS
brew install vault

# Linux
wget -O- https://apt.releases.hashicorp.com/gpg | sudo gpg --dearmor -o /usr/share/keyrings/hashicorp-archive-keyring.gpg
echo "deb [signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/hashicorp.list
sudo apt update && sudo apt install vault

Configuration

toml
[providers]
vault = { type = "vault", address = "https://vault.example.com:8200", path = "secret/myapp" }  # token optional, can use VAULT_TOKEN env var

Setup

1. Configure Vault Access

bash
# Set Vault address
export VAULT_ADDR="https://vault.example.com:8200"

# Login and get token
vault login -method=userpass username=myuser

# Or export existing token
export VAULT_TOKEN="hvs.CAESIJ..."

2. Create Policy

hcl
# policy.hcl
path "secret/data/myapp/*" {
  capabilities = ["read"]
}

path "secret/metadata/myapp/*" {
  capabilities = ["list"]
}
bash
vault policy write fnox-policy policy.hcl

3. Store Secrets in Vault

bash
# KV v2 engine
vault kv put secret/myapp/database url="postgresql://prod.example.com/db"
vault kv put secret/myapp/api-key value="sk_live_abc123"

4. Reference in fnox

toml
[secrets]
DATABASE_URL = { provider = "vault", value = "database/url" }  # → secret/myapp/database/url
API_KEY = { provider = "vault", value = "api-key/value" }  # → secret/myapp/api-key/value

Usage

bash
# Set token
export VAULT_TOKEN="hvs.CAESIJ..."

# Get secrets
fnox get DATABASE_URL

# Run commands
fnox exec -- ./app

Pros

  • ✅ Advanced features (dynamic secrets, leasing)
  • ✅ Fine-grained access policies
  • ✅ Audit logging
  • ✅ Multi-cloud support
  • ✅ Self-hosted option

Cons

  • ❌ Complex to set up and operate
  • ❌ Requires Vault infrastructure
  • ❌ Token management

Next Steps

Released under the MIT License.

Copyright © 2024-present Jeff Dickey