Sourcing Environment Variables from Hashicorp Vault with bash

source_env_from_vault.sh

#!/bin/bash

#TODO: add support for multiple environments
#TODO: add support for multiple vaults
#TODO: add support for multiple paths in vault

ENVIRONMENT=prod

appendSecretsFromBucketToEnvFile(){
  bucket=$1
  envFile=$2
  # convert bucket name to uppercase and replace . with _ and - with _
  bucket_upper=$(echo $bucket | tr [:lower:] [:upper:] | tr . _ | tr - _)
  # store secrets as json
  bucket_json=$(vault kv get -format=json -field data -mount=$ENVIRONMENT $bucket | jq -cr)
  # loop over secrets and append them to the env file
  for secret in $(echo ${bucket_json} | jq -cr 'to_entries | .[].key'); do
    printf "export %s=%s" \
      ${bucket_upper}_${secret} \
      "$(echo ${bucket_json} | jq -c --arg s ${secret} '.[$s]')" \
    >> $envFile
  done
}

sourceEnvFromVault(){
  envFile=$(mktemp)

  # do this in paralell to speed up the second call to vault
  for bucket in $(vault kv list -format=json $1 | jq -cr '.[]'); do
    appendSecretsFromBucketToEnvFile $bucket $envFile &
  done
  wait

  source $envFile
  rm $envFile
}

start=$(date +%s)
sourceEnvFromVault $ENVIRONMENT
end=$(date +%s)

echo

printenv

echo
echo Sourcing took $(expr $end - $start) seconds
echo ENV: $ENVIRONMENT