Vaultex
HashiCorp Vault client for Elixir.
Install / Use
/learn @findmypast/VaultexREADME
:lock: Vaultex
A very simple elixir client that authenticates, reads, writes, and deletes secrets from HashiCorp's Vault. As listed on Vault Libraries.
Installation
The package can be installed as:
- Add
vaultexto your list of dependencies inmix.exs:
def deps do
[{:vaultex, "~> 0.8"}]
end
- Ensure
vaultexis started before your application:
def application do
[applications: [:vaultex]]
end
Configuration
You can configure your vault endpoint with a single environment variable:
VAULT_ADDR
Or a single application variable:
:vaultex, :vault_addr
An example value for VAULT_ADDR is http://127.0.0.1:8200.
Alternatively the vault endpoint can be specified with environment variables:
VAULT_HOSTVAULT_PORTVAULT_SCHEME
Or application variables:
:vaultex, :host:vaultex, :port:vaultex, :scheme
These default to localhost, 8200, http respectively.
You can skip SSL certificate verification with :vaultex, vault_ssl_verify: true option or VAULT_SSL_VERIFY=true environment variable.
If you do want to use SSL verification, set the VAULT_CACERT environment
variable to the SSL certificate location. (See the Vault
documentaion for more
details.)
Usages
To read a secret you must provide the path to the secret and the authentication backend and credentials you will use to login. See the Vaultex.Client.auth/2 docs for supported auth backends.
Authenticate to different authentication backends.
iex> Vaultex.Client.auth(:app_id, {app_id, user_id})
iex> Vaultex.Client.auth(:userpass, {username, password})
iex> Vaultex.Client.auth(:ldap, {username, password})
iex> Vaultex.Client.auth(:github, {github_token})
iex> Vaultex.Client.auth(:approle, {role_id, secret_id})
iex> Vaultex.Client.auth(:token, {token})
iex> Vaultex.Client.auth(:kubernetes, %{jwt: "jwt", role: "role"})
iex> Vaultex.Client.auth(:radius, %{username: "user", password: "password"})
iex> Vaultex.Client.auth(:aws_iam, {role, server})
Reading secret from authenticated backends.
iex> Vaultex.Client.read "secret/bar", :github, {github_token}
{:ok, %{"value" => bar"}}
iex> Vaultex.Client.read_dynamic "secret/dynamic/bar", :github, {github_token}
{:ok,
%{
"data" => %{"value" => "bar"},
"lease_duration" => 60,
"lease_id" => "secret/dynamic/foo/b4z",
"renewable" => true
}}
Additional actions on the secret.
iex> Vaultex.Client.renew_lease("secret/dynamic/foo/b4z", 100, :github, {github_token})
{:ok,
%{
"lease_id" => "secret/dynamic/foo/b4z",
"lease_duration" => 160,
"renewable" => true
}}
iex> Vaultex.Client.write "secret/foo", %{"value" => "bar"}, :app_id, {app_id, user_id}
iex> Vaultex.Client.delete "secret/foo", :app_id, {app_id, user_id}
Notes for aws_iam method
The AWS IAM authentication method requires you to have ExAws installed as a dependency and correctly configured. No additional ExAws modules are required. For more details see the Vault AWS docs.
- If
roleid set tonilVault will try to infer the vault role to use. servermay be set tonilor to the value to pass in theX-Vault-AWS-IAM-Server-IDheader.
Releasing
To release you need to bump the version and add some changes to the change log, you can do this with:
mix eliver.bump
Related Skills
node-connect
346.8kDiagnose OpenClaw node connection and pairing failures for Android, iOS, and macOS companion apps
frontend-design
107.6kCreate distinctive, production-grade frontend interfaces with high design quality. Use this skill when the user asks to build web components, pages, or applications. Generates creative, polished code that avoids generic AI aesthetics.
openai-whisper-api
346.8kTranscribe audio via OpenAI Audio Transcriptions API (Whisper).
qqbot-media
346.8kQQBot 富媒体收发能力。使用 <qqmedia> 标签,系统根据文件扩展名自动识别类型(图片/语音/视频/文件)。
