Envconsul secret extra formatting

PavelMikhailouski · October 11, 2019, 8:06am

Imagine we have a third-party app that accepts DB credentials variables of the following format only:
DB_USER
DB_PASSWORD

When using Vault DB secret backend and the following Envconsul config file:

upcase = true
secret {
  no_prefix = true
  path      = "db/creds/app"

  format    = "DB_{{ key }}"
}

we get the following variables populated to the app:
DB_USERNAME
DB_PASSWORD

Is there any way to make Envconsul format environment variable name a bit further than ‘SOMETHING_{{ key }}’?

I’ve tried a couple of Consul template Helper functions but they does not seem to work in Envconsul (according to the code)

Or any workarounds?

eikenb · October 11, 2019, 7:50pm

Hey Pavel,

I can only think of a couple workarounds. The first would be to change the field in vault. The second is to wrap the command in a shell script that re-assigns the variables to the names you want before exec-ing it.

Envconsul only uses consul-templates config, process management and watcher code. It doesn’t use/import any of the template features (as you found out).

Hope this helps.

PavelMikhailouski · October 11, 2019, 8:10pm

Thank you John.

Unfortunately the first option is not relevant in this particular case since Vault DB secret backend returns specific field names (username, password). And as far as I am concerned there’s no way to override these, please correct me if I am wrong.

eikenb · October 11, 2019, 10:00pm

Sorry about that, I am not familiar with all the Vault storage back-ends. I just double checked and yeah… I don’t see a way to customize that on the Vault side of things. I guess that just leaves the wrapper method at this point.

If that doesn’t work or can’t work you could file a feature request issue on github and we can talk about the possibilities there.