I am looking to create a Vault plugin in Go. The high level flow will be something like, the plugin will be hit via an URL, then it will generate some data and puts that data into a k/v v2 engine. The data will be k/v and a path.
I am new to Go and Vault, and I am reading the documentation. For starters I am not sure if this is recommended or a best practice. Any guidance or documentation will be appreciated.
Vault plugins are isolated from one another, so that plugin authors don’t need to trust each other.
But why make a plugin at all? Write a stand-alone application that generate that special data and write it to the KV store on behalf of the client. It would make sense to use the client’s Vault token for the operation so you don’t have to duplicate the security that already in Vault.
Hi! Yes, I agree with Guillaume, if it’s possible to avoid writing a plugin then that’s a much easier and very secure route. However, if you do end up writing one because you need the data generated that you mention, you’d probably not want to try to use the kv engine from another engine. You’d want to simply store the data using the req.Storage object that’s passed in during each call. A rather simple and recent plugin it might help to look at would be the one for AliCloud. Its docs are here if you want to get a high-level look at what it does, and its code is here for reference. If you do a plugin, don’t hesitate to ask any questions you encounter along the way, we’re happy to help.