Vault secrets as environment variables, nested JSON in env

maitza · June 9, 2025, 8:23am

Hello!

I’m trying to migrate kubernetes configmaps to secrets in Vault. I need them as environment variables (Symfony project).

I’m using vault agent injector and annotations in kubernetes (deployment).

 vault.hashicorp.com/agent-inject: 'true'
 vault.hashicorp.com/role: 'beta'
 vault.hashicorp.com/agent-init-first: 'true'
        vault.hashicorp.com/agent-inject-status: 'update'
        vault.hashicorp.com/agent-inject-template-beta-backend-export.properties: |
          {{- with secret "beta-backend/beta-test-it" -}}
          {{- range $k, $v := .Data.data }}
          export {{$k}}='{{$v}}'
          {{- end -}}
          {{ end }}
        vault.hashicorp.com/agent-inject-secret-credentials.txt: 'beta-backend/data/beta-test-it'

in deployment:

cat /vault/secrets/beta-backend-export.properties >> $HOME/.bashrc
source $HOME/.bashrc

I faced problem with JSON env. Let’s say I have env like this:

TEST_ENV='{"it_IT":{"publicKey": "103434-45645643","privateKey":"24bc564c68673c6e340c7aa1f"}}'

Vault agent injector is creating the file and inside I have it with double quotes so like JSON should looks like, but doing source my env is missing double qouotes and looks like:

TEST_ENV='{it_IT:{publicKey: 103434-45645643,privateKey:24bc564c68673c6e340c7aa1f}}'

Is there any option to prevent this? I was thinking about escaping all double quotes in annotation, where export name is injecting? Is it possible?

To get something like:

TEST_ENV='{\"it_IT\":{\"publicKey\": \"10343445645643\",\"privateKey\":\"24bc564c68673c6e340c7aa1f\"}}'

michaelkosir · June 9, 2025, 4:10pm

Hello @maitza!

Vault Agent uses consul-template under the hood for the templating of secrets. I tested it out locally and I believe it behaves as you expect.

What version of Vault is your vault agent sidecar? If you do the test locally with consul-template do you get the same result, or the format you expect?

# store secrets in Vault
$ TEST='{"a": {"b": "c", "d": "e"}}'

$ vault secrets enable -version=2 kv

$ vault kv put kv/example \
   app_foo=bar \
   app_hello=world \
   app_test=$TEST

$ vault kv get kv/example

====== Data ======
Key          Value
---          -----
app_foo      bar
app_hello    world
app_test     {"a": {"b": "c", "d": "e"}}

# template for pulling all secrets
$ cat > template.ctmpl <<EOF
{{- with secret "kv/example" -}}
{{- range \$k, \$v := .Data.data -}}
export {{\$k}}='{{\$v}}'
{{ end }}
{{- end -}}
EOF

# run consul-template locally
$ consul-template \
   -once \
   -template="./template.ctmpl:./out.env" \
   -vault-addr=http://localhost:8200 \
   -vault-token=root \
   -vault-renew-token=false

$ cat out.env

export app_foo='bar'
export app_hello='world'
export app_test='{"a": {"b": "c", "d": "e"}}'

$ source cat.env
$ env | grep app_

app_foo=bar
app_hello=world
app_test={"a": {"b": "c", "d": "e"}}

Topic		Replies	Views
Inject secrets as Environment Variables Vault k8s , vault	2	3329	May 20, 2022
Vault-helm and kubernetes environment variables Vault k8s	15	8681	April 19, 2023
Secrets cannot be assigned as environment variables Vault k8s , vault	8	2120	December 15, 2022
Vault inject token as environment variable Vault k8s	3	407	March 20, 2025
Trouble injecting env variables via vault agent Vault	2	454	November 30, 2022

Vault secrets as environment variables, nested JSON in env

Related topics