Using Envchain to supply password to Vault's command line

[zk.s...@gmail.com]

I am trying to supply the password to the Vault command line using EnvChain.

I have the password stored in the keychain and I am able to grep it out and confirm that it's pulling the password from the keychain.

However, I am now trying to get this password inserted into the Vault CLI.  Here is the command before using EnvChain with a hard-coded password.

vault auth -method=ldap -address=https://vault.test.com username="${USER}" password=myPassword

Then I wrapped the command inside of EnvChain.  EnvChain gets the password and creates an environment variable that is LOCAL to the EnvChain process.

envchain sea vault auth -method=ldap -address=https://vault.test.com username="${USER}" password="${DOMAIN_PASSWORD}m"

The problem is, it can't resolve the variable.  Even when I try to echo it to the console, it's empty (envchain sea echo $DOMAIN_PASSWORD).

I could Export the password to my environment but that would kind of defeat the security purpose.

Has anyone use envchain to do what I'm trying to do?

Thanks

[David Adams]

This doesn't sound like a Vault question. However, I'd doublecheck that you have DOMAIN_PASSWORD set up correctly in envchain. Does it show up when you run `envchain sea env |grep DOMAIN_PASSWORD` ?

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/54119552-e814-4943-ab2c-e668ed01b18e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[KS]

Hi David,

Yes, it does show up when I run the command you mentioned. I assume that because envchain is acting as a wrapper around the vault CLI, it should be able to access the environment variable. 

I am bringing this up here only because envchain was recommended here and I was hoping other Vault users were also trying to do what I'm doing.  I'm basically trying to automate the process if generating the vault token. I can do that IF I have a way to supply the password that vault is asking for. Of course, I could hard code the password, but that wouldn't be secure.

To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/CAN3s8zZ1R60aE79u2%3DRscDrs4EDAGUyrPKbVD%3DDa3psH5X3Jug%40mail.gmail.com.

[Thomas Müller]

Am Donnerstag, 19. April 2018 23:05:31 UTC+2 schrieb zk.s...@gmail.com:

I am trying to supply the password to the Vault command line using EnvChain.

I have the password stored in the keychain and I am able to grep it out and confirm that it's pulling the password from the keychain.

However, I am now trying to get this password inserted into the Vault CLI.  Here is the command before using EnvChain with a hard-coded password.

vault auth -method=ldap -address=https://vault.test.com username="${USER}" password=myPassword

 

Then I wrapped the command inside of EnvChain.  EnvChain gets the password and creates an environment variable that is LOCAL to the EnvChain process.

envchain sea vault auth -method=ldap -address=https://vault.test.com username="${USER}" password="${DOMAIN_PASSWORD}m"

The problem is, it can't resolve the variable.  Even when I try to echo it to the console, it's empty (envchain sea echo $DOMAIN_PASSWORD).

I don't know EnvChain but I suspect ${DOMAIN_PASSWORD} will evaluate to an empty string by the shell  when you hit enter to execute the command. If EnvChain should replace the literal ${DOMAIN_PASSWORD} string then wrap it with single quotes instead of double quotes.

- Thomas