Using environment variable with dot in it

My secret key has dot which is not accepted as an identifier in Bash.
example of my secret:
"com.tibco.resource.password"=2323

So, source or export command on these expressions or files return error - not a valid identifier

export "com.tibco.resource.password"=2323
-bash: export: `com.tibco.resource.password=2323': not a valid identifier

My YAML annotations:

      annotations:
        vault.hashicorp.com/agent-inject: 'true'
        vault.hashicorp.com/agent-pre-populate-only: 'true'
        vault.hashicorp.com/role: 'diction-dev'
        vault.hashicorp.com/agent-inject-secret-dictenv: 'tibco/dev/apps/dictenv'
        vault.hashicorp.com/agent-inject-perms-dictenv: '0777'
        vault.hashicorp.com/agent-inject-template-dictenv: |
          {{ with secret "tibco/dev/apps/dictenv" -}}
             #!/bin/sh             
              exec env "{{ .Data.data.username }}"="{{ .Data.data.password }}" > /vault/secrets/envfile 
          {{- end }}

Updating my command / args:

        command: ["/bin/sh"]
        args:
          ['-c', 'sh /vault/secrets/dictenv && /scripts/start.sh']

Spring frameworks uses these kind of expressions with env variable. This was fixed in Kubernetes during the initial days by allowing their secrets/configmaps to use dot in their Keys.

Is there any way to use env variable with dot in it ?

I’m having difficulty understanding what you’re asking - Bash is an entirely separate software product to Vault.

This is not a Vault issue. But wanted to understand if there is a way which would allow exporting environment variable having periods in it.

The following steps expplains the issue:

Step 1: Create a Vault KV Secret with dot ==> FINE
vault kv put tibco/dev/apps/dictenv username="com.tibco.resource.password" password="2323"

Step 2: Update YAML Annotation and entrypoint of the Dockerfile in args ==> Suggest any way to export secrets having dots as environment variable.

      annotations:
        vault.hashicorp.com/agent-inject: 'true'
        vault.hashicorp.com/agent-pre-populate-only: 'true'
        vault.hashicorp.com/role: 'diction-dev'
        vault.hashicorp.com/agent-inject-secret-dictenv: 'tibco/dev/apps/dictenv'
        vault.hashicorp.com/agent-inject-perms-dictenv: '0777'
        vault.hashicorp.com/agent-inject-template-dictenv: |
          {{ with secret "tibco/dev/apps/dictenv" -}}
             #!/bin/sh             
              exec env "{{ .Data.data.username }}"="{{ .Data.data.password }}" > /vault/secrets/envfile 
          {{- end }}

[...]
        command: ["/bin/sh"]
        args:
          ['-c', 'sh /vault/secrets/dictenv && /scripts/start.sh']

Step 3: When deploying the above YAML, everything works as expected but env variable is not exported. I have also tried export "{{ .Data.data.username }}"="{{ .Data.data.password }}" which errors out as ‘bad variable/Identifier’.

My question is:
Kubernetes can place such variable (env variable with periods in it) into container’s environment using Secret.
Is there any way by which Vault can enable the same thing. If not by Vault, any help with the scripting to achieve the same.

The env tool, which you have already quoted using, is capable of this.

I think you’re using it incorrectly though.

You should be doing something more like:

        vault.hashicorp.com/agent-inject-template-dictenv: |
          {{ with secret "tibco/dev/apps/dictenv" -}}
          #!/bin/sh             
          exec env "{{ .Data.data.username }}"="{{ .Data.data.password }}" "$@"
          {{- end }}

        command: ["/vault/secrets/dictenv", "/scripts/start.sh"]

This did not work , also tried to run the command in the same shell and that is not working either.
command: ["/vault/secrets/dictenv" && "/scripts/start.sh"]

Will check with an image allowing BASH shell to the user before looking into scripting to solve this.

Hello @gauravkr19
Were you able to fix the problem? I am not able to assign secrets as env vars; explained here; what is your receipt?

Thanks & Regards