Simple secure credentials into YAML with Vault and Spruce

We use YAML for configuration of many things – Concourse pipelines, BOSH deployments, Cloud Foundry applications, and more. And we continually want to be more secure with how we handle our secrets.

Two tools can be used together to help:

  • Hashicorp vault for storing secrets
  • Geoff Franks spruce for merging vault secrets into YAML files.

To quickly see them in action, run Vault in local dev mode (in-memory, http only, unsealed).

$ vault server -dev

[editor: of course, you wouldn’t run vault in -dev mode in production]

In another window, pretend to store your master AWS secrets into your Vault:

$ export VAULT_ADDR=
$ vault write secret/aws/starkandwayne access=XXX secret=YYY
Success! Data written to: secret/aws/starkandwayne

To confirm that there is both access and secret keys stored in Vault:

$ vault read secret/aws/starkandwayne
Key             	Value
---             	-----
refresh_interval	2592000
access          	XXX
secret          	YYY

Now create your publicly publishable YAML config file, that references your vault path:

    access_key: (( vault "secret/aws/starkandwayne:access" ))
    secret_key: (( vault "secret/aws/starkandwayne:secret" ))

This configuration file can now be included in OSS/public repositories because the secrets are stored in Vault.

Only you (or your team that has access to a Vault with the same keys) can now merge in the values with spruce):

$ spruce merge base.yml

The output will include the secrets:

    access_key: XXX
    secret_key: YYY

Learn more about Vault, Spruce and how we’re using them with

Spread the word

twitter icon facebook icon linkedin icon