• Stars
    star
    30,858
  • Rank 566 (Top 0.02 %)
  • Language
    Go
  • License
    Other
  • Created over 9 years ago
  • Updated about 2 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

A tool for secrets management, encryption as a service, and privileged access management

Vault build ci vault enterprise


Please note: We take Vault's security and our users' trust very seriously. If you believe you have found a security issue in Vault, please responsibly disclose by contacting us at [email protected].


Vault Logo

Vault is a tool for securely accessing secrets. A secret is anything that you want to tightly control access to, such as API keys, passwords, certificates, and more. Vault provides a unified interface to any secret, while providing tight access control and recording a detailed audit log.

A modern system requires access to a multitude of secrets: database credentials, API keys for external services, credentials for service-oriented architecture communication, etc. Understanding who is accessing what secrets is already very difficult and platform-specific. Adding on key rolling, secure storage, and detailed audit logs is almost impossible without a custom solution. This is where Vault steps in.

The key features of Vault are:

  • Secure Secret Storage: Arbitrary key/value secrets can be stored in Vault. Vault encrypts these secrets prior to writing them to persistent storage, so gaining access to the raw storage isn't enough to access your secrets. Vault can write to disk, Consul, and more.

  • Dynamic Secrets: Vault can generate secrets on-demand for some systems, such as AWS or SQL databases. For example, when an application needs to access an S3 bucket, it asks Vault for credentials, and Vault will generate an AWS keypair with valid permissions on demand. After creating these dynamic secrets, Vault will also automatically revoke them after the lease is up.

  • Data Encryption: Vault can encrypt and decrypt data without storing it. This allows security teams to define encryption parameters and developers to store encrypted data in a location such as a SQL database without having to design their own encryption methods.

  • Leasing and Renewal: All secrets in Vault have a lease associated with them. At the end of the lease, Vault will automatically revoke that secret. Clients are able to renew leases via built-in renew APIs.

  • Revocation: Vault has built-in support for secret revocation. Vault can revoke not only single secrets, but a tree of secrets, for example, all secrets read by a specific user, or all secrets of a particular type. Revocation assists in key rolling as well as locking down systems in the case of an intrusion.

Documentation, Getting Started, and Certification Exams

Documentation is available on the Vault website.

If you're new to Vault and want to get started with security automation, please check out our Getting Started guides on HashiCorp's learning platform. There are also additional guides to continue your learning.

For examples of how to interact with Vault from inside your application in different programming languages, see the vault-examples repo. An out-of-the-box sample application is also available.

Show off your Vault knowledge by passing a certification exam. Visit the certification page for information about exams and find study materials on HashiCorp's learning platform.

Developing Vault

If you wish to work on Vault itself or any of its built-in systems, you'll first need Go installed on your machine.

For local dev first make sure Go is properly installed, including setting up a GOPATH. Ensure that $GOPATH/bin is in your path as some distributions bundle the old version of build tools. Next, clone this repository. Vault uses Go Modules, so it is recommended that you clone the repository outside of the GOPATH. You can then download any required build tools by bootstrapping your environment:

$ make bootstrap
...

To compile a development version of Vault, run make or make dev. This will put the Vault binary in the bin and $GOPATH/bin folders:

$ make dev
...
$ bin/vault
...

To compile a development version of Vault with the UI, run make static-dist dev-ui. This will put the Vault binary in the bin and $GOPATH/bin folders:

$ make static-dist dev-ui
...
$ bin/vault
...

To run tests, type make test. Note: this requires Docker to be installed. If this exits with exit status 0, then everything is working!

$ make test
...

If you're developing a specific package, you can run tests for just that package by specifying the TEST variable. For example below, only vault package tests will be run.

$ make test TEST=./vault
...

Importing Vault

This repository publishes two libraries that may be imported by other projects: github.com/hashicorp/vault/api and github.com/hashicorp/vault/sdk.

Note that this repository also contains Vault (the product), and as with most Go projects, Vault uses Go modules to manage its dependencies. The mechanism to do that is the go.mod file. As it happens, the presence of that file also makes it theoretically possible to import Vault as a dependency into other projects. Some other projects have made a practice of doing so in order to take advantage of testing tooling that was developed for testing Vault itself. This is not, and has never been, a supported way to use the Vault project. We aren't likely to fix bugs relating to failure to import github.com/hashicorp/vault into your project.

See also the section "Docker-based tests" below.

Acceptance Tests

Vault has comprehensive acceptance tests covering most of the features of the secret and auth methods.

If you're working on a feature of a secret or auth method and want to verify it is functioning (and also hasn't broken anything else), we recommend running the acceptance tests.

Warning: The acceptance tests create/destroy/modify real resources, which may incur real costs in some cases. In the presence of a bug, it is technically possible that broken backends could leave dangling data behind. Therefore, please run the acceptance tests at your own risk. At the very least, we recommend running them in their own private account for whatever backend you're testing.

To run the acceptance tests, invoke make testacc:

$ make testacc TEST=./builtin/logical/consul
...

The TEST variable is required, and you should specify the folder where the backend is. The TESTARGS variable is recommended to filter down to a specific resource to test, since testing all of them at once can sometimes take a very long time.

Acceptance tests typically require other environment variables to be set for things such as access keys. The test itself should error early and tell you what to set, so it is not documented here.

For more information on Vault Enterprise features, visit the Vault Enterprise site.

Docker-based Tests

We have created an experimental new testing mechanism inspired by NewTestCluster. An example of how to use it:

import (
  "testing"
  "github.com/hashicorp/vault/sdk/helper/testcluster/docker"
)

func Test_Something_With_Docker(t *testing.T) {
  opts := &docker.DockerClusterOptions{
    ImageRepo: "hashicorp/vault", // or "hashicorp/vault-enterprise"
    ImageTag:    "latest",
  }
  cluster := docker.NewTestDockerCluster(t, opts)
  defer cluster.Cleanup()
  
  client := cluster.Nodes()[0].APIClient()
  _, err := client.Logical().Read("sys/storage/raft/configuration")
  if err != nil {
    t.Fatal(err)
  }
}

Or for Enterprise:

import (
  "testing"
  "github.com/hashicorp/vault/sdk/helper/testcluster/docker"
)

func Test_Something_With_Docker(t *testing.T) {
  opts := &docker.DockerClusterOptions{
    ImageRepo: "hashicorp/vault-enterprise",
    ImageTag:  "latest",
	VaultLicense: licenseString, // not a path, the actual license bytes
  }
  cluster := docker.NewTestDockerCluster(t, opts)
  defer cluster.Cleanup()
}

Here is a more realistic example of how we use it in practice. DefaultOptions uses hashicorp/vault:latest as the repo and tag, but it also looks at the environment variable VAULT_BINARY. If populated, it will copy the local file referenced by VAULT_BINARY into the container. This is useful when testing local changes.

Instead of setting the VaultLicense option, you can set the VAULT_LICENSE_CI environment variable, which is better than committing a license to version control.

Optionally you can set COMMIT_SHA, which will be appended to the image name we build as a debugging convenience.

func Test_Custom_Build_With_Docker(t *testing.T) {
  opts := docker.DefaultOptions(t)
  cluster := docker.NewTestDockerCluster(t, opts)
  defer cluster.Cleanup()
}

There are a variety of helpers in the github.com/hashicorp/vault/sdk/helper/testcluster package, e.g. these tests below will create a pair of 3-node clusters and link them using PR or DR replication respectively, and fail if the replication state doesn't become healthy before the passed context expires.

Again, as written, these depend on having a Vault Enterprise binary locally and the env var VAULT_BINARY set to point to it, as well as having VAULT_LICENSE_CI set.

func TestStandardPerfReplication_Docker(t *testing.T) {
  opts := docker.DefaultOptions(t)
  r, err := docker.NewReplicationSetDocker(t, opts)
  if err != nil {
      t.Fatal(err)
  }
  defer r.Cleanup()

  ctx, cancel := context.WithTimeout(context.Background(), time.Minute)
  defer cancel()
  err = r.StandardPerfReplication(ctx)
  if err != nil {
    t.Fatal(err)
  }
}

func TestStandardDRReplication_Docker(t *testing.T) {
  opts := docker.DefaultOptions(t)
  r, err := docker.NewReplicationSetDocker(t, opts)
  if err != nil {
    t.Fatal(err)
  }
  defer r.Cleanup()

  ctx, cancel := context.WithTimeout(context.Background(), time.Minute)
  defer cancel()
  err = r.StandardDRReplication(ctx)
  if err != nil {
    t.Fatal(err)
  }
}

Finally, here's an example of running an existing OSS docker test with a custom binary:

$ GOOS=linux make dev
$ VAULT_BINARY=$(pwd)/bin/vault go test -run 'TestRaft_Configuration_Docker' ./vault/external_tests/raft/raft_binary
ok      github.com/hashicorp/vault/vault/external_tests/raft/raft_binary        20.960s

More Repositories

1

terraform

Terraform enables you to safely and predictably create, change, and improve infrastructure. It is a source-available tool that codifies APIs into declarative configuration files that can be shared amongst team members, treated as code, edited, reviewed, and versioned.
Go
42,550
star
2

consul

Consul is a distributed, highly available, and data center aware solution to connect and configure applications across dynamic, distributed infrastructure.
Go
28,256
star
3

vagrant

Vagrant is a tool for building and distributing development environments.
Ruby
26,132
star
4

packer

Packer is a tool for creating identical machine images for multiple platforms from a single source configuration.
Go
15,086
star
5

nomad

Nomad is an easy-to-use, flexible, and performant workload orchestrator that can deploy a mix of microservice, batch, containerized, and non-containerized applications. Nomad is easy to operate and scale and has native Consul and Vault integrations.
Go
14,809
star
6

terraform-provider-aws

The AWS Provider enables Terraform to manage AWS resources.
Go
9,761
star
7

raft

Golang implementation of the Raft consensus protocol
Go
7,383
star
8

serf

Service orchestration and management tool.
Go
5,692
star
9

hcl

HCL is the HashiCorp configuration language.
Go
5,236
star
10

go-plugin

Golang plugin system over RPC.
Go
4,874
star
11

terraform-cdk

Define infrastructure resources using programming constructs and provision them using HashiCorp Terraform
TypeScript
4,868
star
12

waypoint

A tool to build, deploy, and release any application on any platform.
Go
4,789
star
13

consul-template

Template rendering, notifier, and supervisor for @HashiCorp Consul and Vault data.
Go
4,750
star
14

terraform-provider-azurerm

Terraform provider for Azure Resource Manager
Go
4,528
star
15

otto

Development and deployment made easy.
HTML
4,282
star
16

golang-lru

Golang LRU cache
Go
4,221
star
17

boundary

Boundary enables identity-based access management for dynamic infrastructure.
Go
3,847
star
18

memberlist

Golang package for gossip based membership and failure detection
Go
3,303
star
19

go-memdb

Golang in-memory database built on immutable radix trees
Go
2,937
star
20

next-mdx-remote

Load mdx content from anywhere through getStaticProps in next.js
TypeScript
2,405
star
21

terraform-provider-google

Terraform Provider for Google Cloud Platform
Go
2,325
star
22

go-multierror

A Go (golang) package for representing a list of errors as a single error.
Go
2,029
star
23

yamux

Golang connection multiplexing library
Go
2,003
star
24

envconsul

Launch a subprocess with environment variables using data from @HashiCorp Consul and Vault.
Go
1,967
star
25

go-retryablehttp

Retryable HTTP client in Go
Go
1,702
star
26

terraform-provider-kubernetes

Terraform Kubernetes provider
Go
1,580
star
27

go-getter

Package for downloading things from a string URL using a variety of protocols.
Go
1,541
star
28

best-practices

HCL
1,490
star
29

go-version

A Go (golang) library for parsing and verifying versions and version constraints.
Go
1,459
star
30

go-metrics

A Golang library for exporting performance and runtime metrics to external metrics systems (i.e. statsite, statsd)
Go
1,453
star
31

setup-terraform

Sets up Terraform CLI in your GitHub Actions workflow.
JavaScript
1,352
star
32

terraform-guides

Example usage of HashiCorp Terraform
HCL
1,324
star
33

mdns

Simple mDNS client/server library in Golang
Go
1,020
star
34

terraform-provider-helm

Terraform Helm provider
Go
997
star
35

vault-guides

Example usage of HashiCorp Vault secrets management
Shell
990
star
36

go-immutable-radix

An immutable radix tree implementation in Golang
Go
926
star
37

vault-helm

Helm chart to install Vault and other associated components.
Shell
904
star
38

terraform-ls

Terraform Language Server
Go
896
star
39

vscode-terraform

HashiCorp Terraform VSCode extension
TypeScript
870
star
40

levant

An open source templating and deployment tool for HashiCorp Nomad jobs
Go
825
star
41

vault-k8s

First-class support for Vault and Kubernetes.
Go
697
star
42

terraform-exec

Terraform CLI commands via Go.
Go
675
star
43

consul-k8s

First-class support for Consul Service Mesh on Kubernetes
Go
665
star
44

terraform-aws-vault

A Terraform Module for how to run Vault on AWS using Terraform and Packer
HCL
659
star
45

terraform-github-actions

Terraform GitHub Actions
Shell
624
star
46

terraform-provider-vsphere

Terraform Provider for VMware vSphere
Go
617
star
47

raft-boltdb

Raft backend implementation using BoltDB
Go
585
star
48

nextjs-bundle-analysis

A github action that provides detailed bundle analysis on PRs for next.js apps
JavaScript
562
star
49

go-discover

Discover nodes in cloud environments
Go
562
star
50

consul-replicate

Consul cross-DC KV replication daemon.
Go
504
star
51

next-mdx-enhanced

A Next.js plugin that enables MDX pages, layouts, and front matter
JavaScript
500
star
52

docker-vault

Official Docker images for Vault
Shell
492
star
53

terraform-provider-kubernetes-alpha

A Terraform provider for Kubernetes that uses dynamic resource types and server-side apply. Supports all Kubernetes resources.
Go
490
star
54

vault-secrets-operator

The Vault Secrets Operator (VSO) allows Pods to consume Vault secrets natively from Kubernetes Secrets.
Go
466
star
55

terraform-k8s

Terraform Cloud Operator for Kubernetes
Go
454
star
56

puppet-bootstrap

A collection of single-file scripts to bootstrap your machines with Puppet.
Shell
444
star
57

cap

A collection of authentication Go packages related to OIDC, JWKs, Distributed Claims, LDAP
Go
436
star
58

terraform-provider-vault

Terraform Vault provider
Go
431
star
59

damon

A terminal UI (TUI) for HashiCorp Nomad
Go
427
star
60

nomad-autoscaler

Nomad Autoscaler brings autoscaling to your Nomad workloads.
Go
424
star
61

consul-helm

Helm chart to install Consul and other associated components.
Shell
422
star
62

terraform-provider-azuread

Terraform provider for Azure Active Directory
Go
419
star
63

vault-ssh-helper

Vault SSH Agent is used to enable one time keys and passwords
Go
404
star
64

terraform-provider-scaffolding

Quick start repository for creating a Terraform provider
Go
402
star
65

terraform-aws-consul

A Terraform Module for how to run Consul on AWS using Terraform and Packer
HCL
401
star
66

docker-consul

Official Docker images for Consul.
Dockerfile
399
star
67

nomad-pack

Go
393
star
68

hil

HIL is a small embedded language for string interpolations.
Go
392
star
69

vault-action

A GitHub Action that simplifies using HashiCorp Vaultโ„ข secrets as build variables.
JavaScript
391
star
70

learn-terraform-provision-eks-cluster

HCL
389
star
71

terraform-plugin-sdk

Terraform Plugin SDK enables building plugins (providers) to manage any service providers or custom in-house solutions
Go
383
star
72

terraform-config-inspect

A helper library for shallow inspection of Terraform configurations
Go
380
star
73

hcl2

Former temporary home for experimental new version of HCL
Go
375
star
74

errwrap

Errwrap is a Go (golang) library for wrapping and querying errors.
Go
373
star
75

go-cleanhttp

Go
366
star
76

design-system

Helios Design System
TypeScript
358
star
77

logutils

Utilities for slightly better logging in Go (Golang).
Go
356
star
78

vault-ruby

The official Ruby client for HashiCorp's Vault
Ruby
336
star
79

vault-rails

A Rails plugin for easily integrating Vault secrets
Ruby
334
star
80

next-remote-watch

Decorated local server for next.js that enables reloads from remote data changes
JavaScript
325
star
81

waypoint-examples

Example Apps that can be deployed with Waypoint
PHP
325
star
82

go-hclog

A common logging package for HashiCorp tools
Go
319
star
83

vault-csi-provider

HashiCorp Vault Provider for Secret Store CSI Driver
Go
308
star
84

nomad-guides

Example usage of HashiCorp Nomad
HCL
281
star
85

consul-haproxy

Consul HAProxy connector for real-time configuration
Go
279
star
86

terraform-provider-google-beta

Terraform Provider for Google Cloud Platform (Beta)
Go
265
star
87

consul-esm

External service monitoring for Consul
Go
262
star
88

http-echo

A tiny go web server that echos what you start it with!
Makefile
257
star
89

terraform-provider-awscc

Terraform AWS Cloud Control provider
HCL
256
star
90

terraform-aws-nomad

A Terraform Module for how to run Nomad on AWS using Terraform and Packer
HCL
254
star
91

faas-nomad

OpenFaaS plugin for Nomad
Go
252
star
92

go-sockaddr

IP Address/UNIX Socket convenience functions for Go
Go
250
star
93

terraform-foundational-policies-library

Sentinel is a language and framework for policy built to be embedded in existing software to enable fine-grained, logic-based policy decisions. This repository contains a library of Sentinel policies, developed by HashiCorp, that can be consumed directly within the Terraform Cloud platform.
HCL
233
star
94

nomad-driver-podman

A nomad task driver plugin for sandboxing workloads in podman containers
Go
226
star
95

vagrant-vmware-desktop

Official provider for VMware desktop products: Fusion, Player, and Workstation.
Go
225
star
96

go-tfe

HCP Terraform/Enterprise API Client/SDK in Golang
Go
224
star
97

nomad-pack-community-registry

A repo for Packs written and maintained by Nomad community members
HCL
215
star
98

boundary-reference-architecture

Example reference architecture for a high availability Boundary deployment on AWS.
HCL
211
star
99

terraform-plugin-framework

A next-generation framework for building Terraform providers.
Go
204
star
100

vault-plugin-auth-kubernetes

Vault authentication plugin for Kubernetes Service Accounts
Go
192
star