2.0 KiB
systemd-vaultd
systemd-vaultd is a proxy between systemd and vault
agent. It provides a unix socket that can be used in
systemd services in the LoadCredential option and than waits for vault agent
to write these secrets at /run/systemd-vaultd/<service_name>-<secret_name>.
Systemd's LoadCredential option
Systemd has an option called LoadCredentials that allows to provide credentials to a service:
# myservice.service
[Service]
ExecStart=/usr/bin/myservice.sh
LoadCredential=foobar:/etc/myfoobarcredential.txt
In this case systemd will load credential the file /etc/myfoobarcredential.txt
and provide it to the service at $CREDENTIAL_PATH/foobar.
While vault agent also supports writing these secrets, a service may be started before vault agent was able to retrieve secrets from vault, in which case systemd would fail to start the service.
Here is where systemd-vaultd is put to use: In additional to normal paths,
systemd also supports loading credentials from unix sockets.
With systemd-vaultd the service myservice.service would look like this:
[Service]
ExecStart=/usr/bin/myservice.sh
LoadCredential=foobar:/run/systemd-vaultd/sock
vault agent is than expected to write secrets to /run/systemd-vaultd/
template {
contents = "{{ with secret \"secret/my-secret\" }}{{ .Data.data.foo }}{{ end }}"
destination = "/run/systemd-vaultd/secrets/myservice.service-foo"
}
When myservice is started, systemd will open a connection to systemd-vaultd's socket.
systemd-vaultd than either serve the secrets from /run/systemd-vaultd/secrets/myservice.service-foo
or it waits with inotify on secret directory for vault agent to write the secret.
Installation
The installation requires a go compiler and make to be installed.
This command will install the systemd-vaultd binary to /usr/bin/systemd-vaultd as well
as installing a following systemd unit files: systemd-vaultd.service, systemd-vaultd.socket:
make install