Environment Variables in Vault Agent Configuration File

alexleach · August 25, 2021, 10:23am

Hello,

I’m going through the tutorials and documentation, while testing out a Vault Agent on Windows. The documentation shows how to put various vault agent files in top-level directories under the C: drive, i.e. C:\vault-agent. To me, this doesn’t seem the best location to keep them, as it’s a shared directory accessible by anyone who uses the PC. Is that okay?

It seems sensible to put user’s cached files under separate user’s %TEMP% directory (e.g. C:\Users\me\AppData\Local\Temp), so there will be no clashes between different users’ who might use the same PC, especially on a shared terminal servers. However, this would require specifying the TEMP environment variable. Is there a way to access environment variables from within the hcl file?

I’ve tried the following, but these were all stabs in the dark and didn’t work:-

  sink "file" {
    config = {
      path = "%TEMP%/vault/oidc-sink-file"
    }
  }

...
      path = "$(TEMP)/vault/oidc-sink-file"
...
      path = "${TEMP}/vault/oidc-sink-file"
...
      path = "($TEMP)/vault/oidc-sink-file"

Thanks and kind regards,
Alex

jeffsanicola · August 25, 2021, 12:03pm

Vault Agent does not appear to support environment variables for defining sink file locations per the documentation here: Vault Agent | Vault by HashiCorp

With that said, if you look at the supported auth methods the Vault Agent seems to be designed for machine specific use cases as opposed to user specific use cases. I can see why you’d want to enable user specific configuration settings so it might be worth submitting an issue/feature request in GitHub or through the support portal if you have an Enterprise license: Issues · hashicorp/vault · GitHub

alexleach · August 25, 2021, 1:34pm

Hi, Many thanks for the response. Yes, I couldn’t see anything in that example configuration file for environment variables unfortunately. If it was possible, I thought that would be the best place to show such an example!

I’m not particularly familiar with HCL files in general, so wondered if it would be possible based on the specs of the HCL syntax. I was hoping something like shown at the following link would be possible, but this doesn’t seem to work either …

HCL2 environment variables followup - Packer - HashiCorp Discuss

Thanks for the recommendation, indeed I think I’ll post an issue on the github page. That was in fact my first port-of-call, but with 802 currently open issues, I thought maybe this was a better place to ask!

Cheers,
Alex