systemd-vaultd

systemd-vaultd is a proxy between systemd and vault agent. It provides a unix socket that can be used in systemd services in the LoadCredential option and then waits for vault agent to write these secrets at /run/systemd-vaultd/<service_name>-<secret_name>.

Systemd's LoadCredential option

Systemd has an option called LoadCredentials that allows to provide credentials to a service:

# myservice.service
[Service]
ExecStart=/usr/bin/myservice.sh
LoadCredential=foobar:/etc/myfoobarcredential.txt

In this case systemd will load credential the file /etc/myfoobarcredential.txt and provide it to the service at $CREDENTIAL_PATH/foobar.

While vault agent also supports writing these secrets, a service may be started before vault agent was able to retrieve secrets from vault, in which case systemd would fail to start the service.

Here is where systemd-vaultd is put to use: In additional to normal paths, systemd also supports loading credentials from unix sockets.

With systemd-vaultd the service myservice.service would look like this:

[Service]
ExecStart=/usr/bin/myservice.sh
LoadCredential=foobar:/run/systemd-vaultd/sock

vault agent is then expected to write secrets to /run/systemd-vaultd/

template {
  contents     = "{{ with secret \"secret/my-secret\" }}{{ .Data.data.foo }}{{ end }}"
  destination  = "/run/systemd-vaultd/secrets/myservice.service-foo"
}

When myservice is started, systemd will open a connection to systemd-vaultd's socket. systemd-vaultd then either serve the secrets from /run/systemd-vaultd/secrets/myservice.service-foo or it waits with inotify on secret directory for vault agent to write the secret.

Installation

The installation requires a go compiler and make to be installed.

This command will install the systemd-vaultd binary to /usr/bin/systemd-vaultd as well as installing a following systemd unit files: systemd-vaultd.service, systemd-vaultd.socket:

make install