# systemd-vaultd systemd-vaultd is a proxy between systemd and [vault agent](https://vaultproject.io). It provides a unix socket that can be used in systemd services in the `LoadCredential` option and then waits for vault agent to write these secrets at `/run/systemd-vaultd/-`. ## Systemd's `LoadCredential` option Systemd has an option called `LoadCredentials` that allows to provide credentials to a service: ```conf # myservice.service [Service] ExecStart=/usr/bin/myservice.sh LoadCredential=foobar:/etc/myfoobarcredential.txt ``` In this case systemd will load credential the file `/etc/myfoobarcredential.txt` and provide it to the service at `$CREDENTIAL_PATH/foobar`. While vault agent also supports writing these secrets, a service may be started before vault agent was able to retrieve secrets from vault, in which case systemd would fail to start the service. Here is where `systemd-vaultd` is put to use: In additional to normal paths, systemd also supports loading credentials from unix sockets. With `systemd-vaultd` the service `myservice.service` would look like this: ```conf [Service] ExecStart=/usr/bin/myservice.sh LoadCredential=foobar:/run/systemd-vaultd/sock ``` vault agent is then expected to write secrets to `/run/systemd-vaultd/` ``` template { contents = "{{ with secret \"secret/my-secret\" }}{{ .Data.data.foo }}{{ end }}" destination = "/run/systemd-vaultd/secrets/myservice.service-foo" } ``` When `myservice` is started, systemd will open a connection to `systemd-vaultd`'s socket. `systemd-vaultd` then either serve the secrets from `/run/systemd-vaultd/secrets/myservice.service-foo` or it waits with inotify on secret directory for vault agent to write the secret. ## Installation The installation requires a `go` compiler and `make` to be installed. This command will install the `systemd-vaultd` binary to `/usr/bin/systemd-vaultd` as well as installing a following systemd unit files: `systemd-vaultd.service`, `systemd-vaultd.socket`: ```shell make install ```