Managing HashiCorp Vault with Configu Orchestrator

Ran Cohen on
Blog post cover

HashiCorp Vault is an identity-based secrets and encryption management system. It provides a unified interface to any secret, while providing tight access control and recording a detailed audit log. Vault can be used to store and manage a wide variety of secrets, including:

  • API keys
  • Passwords
  • Certificates
  • SSH keys
  • Database credentials
  • TLS certificates

Today’s developer teams are tasked with having to manage Config Ops on the platform as well, and HashiCorp Vault is a great opportunity to show how Configu lets you only worry about your config schemas, with Configu providing the rest of what’s needed, including talking to Vault’s API to get and validate your new config values in place.

To complete the tutorial, you’ll need a HashiCorp Vault Server and Credentials (easiest is having it installed as a docker), GitConfigu’s CLI, and a simple ‘hello world’ app to deploy which we’ve provided in this repo.

In most cases, your application already has a configuration file, in this example, we will examine Python code that consumes a PostgreSQL connection URL and a .env file:

1os.environ['DB_URL'] = 'psql://{user}:{password}@{host}:{port}/{name}'.format(
2    user=os.environ['DB_USER'],
3    password=os.environ['DB_PASSWORD'],
4    host=os.environ['DB_HOST'],
5    port=os.environ['DB_PORT'],
6    name=os.environ['DB_NAME']



Step 1 – Create schema declaration

Instead of maintaining a .env file for each environment or Vault for production and possibly for other sensitive environments, create a .cfgu schema declaration for this service, so that each change will only have to be changed once (only the key in the schema) and then the values will be initialized by the same interface. Our schema will look like this:


2  "DB_USER": {
3    "type": "string",
4    "default": "user"
5  },
7    "type": "string",
8    "default": 123
9  },
10  "DB_HOST": {
11    "type": "IPv4",
12    "required": true,
13    "default": ""
14  },
15  "DB_PORT": {
16    "type": "Number",
17    "required": true,
18    "default": 5433
19  },
20  "DB_NAME": {
21    "type": "string",
22    "default": "database"
23  },
24  "DB_URL": {
25    "type": "String",
26    "template": "psql://{{DB_USER}}:{{DB_PASSWORD}}@{{DB_HOST}}:{{DB_PORT}}/{{DB_NAME}}",
27    "description": "Generates a full PostgreSQL URL connection"
28  }

Although saving configurations in the source control is considered to be bad practice, the Cfgu format is designed to be part of the code as it doesn’t include any sensitive values. Doing that increases developers’ velocity and helps them avoid leaving the terminal/IDE for other config management platforms.

Step 2 – Use defaults for local development

Running a local environment was never easier, choose your preferred way to inject your environment variables:

Run Configu seamlessly with your app

1configu eval --schema "./my-app.cfgu.json" --defaults | configu export --run "py"

Inject the variables into your shell

1configu eval --schema "./my-app.cfgu.json" --defaults | configu export --source

Download and use .env file or any other format you want

1configu eval --schema "./my-app.cfgu.json" --defaults | configu export --format "Dotenv" > .env.development

Step 3 – Manage configs in HashiCorp Vault using Configu Orchestrator

Using a single set of commands we can control any store from local files on git to secret managers. In the following example, we will manage our configs over our HashiCorp Vault secret manage.

Authenticate HashiCorp Vault

Configu’s CLI uses the standard env vars HashiCorp use, if you have the Vault CLI configured and working, there’s no special action to take. If not please configure your environment with the required variables (See variables here).

Upsert values

1configu upsert --store "hashicorp-vault" --schema "./my-app.cfgu.json" --set "prod" \
2    --config "DB_USER=user" --config "DB_PASSWORD=123" --config "DB_HOST=localhots" \
3    --config "DB_PORT=5433" --config "DB_NAME=database"

Export values

Same to the way we previously used the Cfgu defaults we can evaluate and export from any store we need.

1configu eval --store "hashicorp-vault" --schema "./my-app.cfgu.json" --set "prod" \
2    | configu export --run "py"

You’re done! This was a simple operation, but that’s the best way to show someone the power and the simplicity of Configu Orchestrator and how you can use it to manage your configuration automatically and safely using all your current stores.

You may also like

Docker Env Variables Blog Banner

Docker Environment Variables: ARG, ENV & Using Them Correctly

Docker uses environment variables to customize your Docker containers and applications without having to modify your Dockerfiles or container images.

Geva Perry on
Working with Python Env Variables

Working with Python Environment Variables and 5 Best Practices You Should Know

Python environment variables are dynamic named values that can change the way running processes behave on a computer.

Geva Perry on
what is configuration-as-code and 5 tips for success

What Is Configuration-as-Code (CaC) and 5 Tips for Success

Configuration-as-Code (CaC) suggests managing configuration data through code instead of manual or proprietary tools.

Geva Perry on
hacktoberfest blog post banner

Hacktoberfest 2023: Where Open Source Enthusiasts of All Levels Unite

Hacktoberfest is a global month-long celebration of open source software. Join us as we explore the impact and stories of this vibrant community, and learn how to contribute to open source, even if you're a beginner.

Peleg Porat on

Try Configu for free

Painless end-to-end configuration management platform

Get Started for Free