VaultConfigProvider is an Elixir Distillery release config provider for loading secrets from Vault into app env at runtime.

Built with Distillery and Vaultex

The package can be installed by adding vault_config_provider to your list of dependencies in mix.exs:

def deps do
  [
    {:vault_config_provider, "~> 0.1.0"}
  ]
end

Set up Distillery and add to config provider to the config_providers in rel/config.exs.

  set config_providers: [
    {Mix.Releases.Config.Providers.Elixir, ["${RELEASE_ROOT_DIR}/etc/config.exs"]},
    {VaultConfigProvider, []}
  ]

Read the Vaultex docs, and configure vaultex with your vault address and credentials. The Vault address can be set from the system environment or application environment.

VaultConfigProvider assumes vault auth credentials are already set in application environment by earlier config providers.

For instance, the standard Mix.Releases.Config.Providers.Elixir should be configured something like so:

config :vaultex,
  auth: {:kubernetes, %{jwt: File.read!("/tmp/token"), role: "my_role"}},
  vault_addr: "http://127.0.0.1"

config :vaultex,
  auth: {:token, {"root"}}

The provider will resolve secrets stored matching two patterns srtings or keyword lists. Keyword lists can contain transformations

config :my_app,
  username: "secret:secret/services/my_app key=username",

  username: [
    path: "secret/services/my_app",
    key: "username",
    fun: &transform/1
  ],

A string address is expected to include secret:/path and key=key_name.

A keyword address must contain the keys key and path it also accepts an optional fun argument which can be used for transformations on returned values.