Login for local developer?

Hey there,

we starting to use the vault, but now we are stuck at a problem.
Our app using a API and the API needs a secret.
In our k8s- and gitlab-work it works very well, that we can inject the secret via vault.

But … how can we inject vault-secrets into a local environment?
We want something like this:

  1. DEV checking out project (which has none secrets)
  2. DEV starting the application (via Intellij)
  3. One component recognizes, that the secret is not there.
  4. The component open vault-login interface.
  5. DEV enters his data and the received token will be forwarded to the component.
  6. The component will extract all required information from vault and put it to the application (as file or environment-vars)

The process will ensure that,

  • no secrets has to be in git-repo
  • only authorized devs will get the secret
  • rolling-updates of secrets are possible

Any ideas?

Jetbrains has a plugin here that might help:

Can you elaborate more on “rolling-updates of secrets are possible”?

Thank you for the hint. Sadly the plugin is only for TeamCity (which are we not using).
But I will have a look for familiar plugins in IntelliJ.

Maybe I used the wrong words. I meant rotation of secrets.
In our case: The api-secret (aka api-password, api-key) automatically changes once a week.

Have you considered Cubbyhole Response Wrapping? This would allow you to deliver a ‘wrapping token’ through whatever mechanism to the local environment. The app could then use that to obtain its ‘real’ token for use to request the needed secrets.