I’m working on a CLI tool that integrates with vault to retrieve application passwords.
For the most part it will be run on workstations, though we’ll probably also have executions triggered from rundeck.
The tool may have to connect to different vault servers depending on the secret involved (staging, production, etc).
Are there any best practices around vault authentication handling in this case? It seems like I could:
- Have the tool expect VAULT_ADDR and VAULT_TOKEN to be exported as env vars, have some script or Makefile ensure those values get set up and point to the right vault server.
- Have the tool take the vault address & login method (should be either oidc or approle) as configuration and handle the login & token retrieval on its own.
Are there any best practices in this space we should track toward?
It seems like a lot of tools (vault cli itself) assume one vault server and rely on an exported addr/token, but I do like the simplicity of having all the vault info in some sort of
production.conf then letting the tool get its own token.
Thanks in advance for any advice,