Secrets Management
Hashicorp Vault
Using with CLI

Using with Bruno CLI

Pre-requisites

Add the vault connection configuration to the collection's secrets.json file (create one if it doesn't exist). You can use environment variables in the configuration to avoid hardcoding sensitive information.

This is the only additional configuration required to use the vault secrets in the collection using the CLI.


Usage

There are 3 different CLI configurations that can be used.

Vault server with token authentication

secrets.json
{
  "type": "vault",
  "cli": {
    "type": "vault-server",
    "vaultServerConfig": {
      "url": "http://localhost:8200",
      "namespace": "bruno",
      "auth": {
        "method": "token",
        "token": "{{authToken}}"
      }
    }
  },
  "data": [
    {
      "environment": "Prod",
      "secrets": [
        {
          "name": "db",
          "path": "secret/db",
          "enabled": true
        }
      ]
    }
  ]
}

Corresponding CLI command:

bru run folder --env Prod --env-var authToken=your-vault-token

Vault server with appRole authentication

secrets.json
{
  "type": "vault",
  "cli": {
    "type": "vault-server",
    "vaultServerConfig": {
      "url": "http://localhost:8200",
      "namespace": "bruno",
      "auth": {
        "method": "app_role",
        "appRole": {
          "role": "bruno",
          "roleId": "{{roleId}}",
          "secretId": "{{secretId}}"
        }
      }
    }
  }
  "data": [
    {
      "environment": "Prod",
      "secrets": [
        {
          "name": "db",
          "path": "secret/db",
          "enabled": true
        }
      ]
    }
  ]
}

Corresponding CLI command:

bru run folder --env Prod --env-var roleId=your-role-id --env-var secretId=your-secret-id

Vault cloud with client credentials authentication

secrets.json
{
  "type": "vault",
  "cli": {
    "type": "vault-cloud",
    "vaultCloudConfig": {
      "auth": {
        "method": "client-credentials",
        "clientCredentials": {
          "tokenEndpoint": "{{tokenEndpoint}}",
          "secretsEndPoint": "{{secretsEndpoint}}",
          "clientId": "{{clientId}}",
          "clientSecret": "{{clientSecret}}"
        }
      },
      "project": {
        "name": "{{projectName}}",
        "projectId": "{{projectId}}",
        "organizationId": "{{organizationId}}"
      }
    }
  },
  "data": [
    {
      "environment": "Prod",
      "secrets": [
        {
          "name": "db",
          "path": "secret/db",
          "enabled": true
        }
      ]
    }
  ]
}

Corresponding CLI command:

bru run folder --env Prod --env-var tokenEndpoint=your-token-endpoint --env-var secretsEndpoint=your-secrets-endpoint --env-var clientId=your-client-id --env-var clientSecret=your-client-secret --env-var projectName=your-project-name --env-var projectId=your-project-id --env-var organizationId=your-organization-id