Managing HashiCorp Vault with Configu Orchestrator

Ran Cohen on
Blog post cover

HashiCorp Vault is an identity-based secrets and encryption management system. It provides a unified interface to any secret, while providing tight access control and recording a detailed audit log. Vault can be used to store and manage a wide variety of secrets, including:

  • API keys
  • Passwords
  • Certificates
  • SSH keys
  • Database credentials
  • TLS certificates

Today’s developer teams are tasked with having to manage Config Ops on the platform as well, and HashiCorp Vault is a great opportunity to show how Configu lets you only worry about your config schemas, with Configu providing the rest of what’s needed, including talking to Vault’s API to get and validate your new config values in place.

To complete the tutorial, you’ll need a HashiCorp Vault Server and Credentials (easiest is having it installed as a docker), GitConfigu’s CLI, and a simple ‘hello world’ app to deploy which we’ve provided in this repo.

In most cases, your application already has a configuration file, in this example, we will examine Python code that consumes a PostgreSQL connection URL and a .env file:

1os.environ['DB_URL'] = 'psql://{user}:{password}@{host}:{port}/{name}'.format(
2    user=os.environ['DB_USER'],
3    password=os.environ['DB_PASSWORD'],
4    host=os.environ['DB_HOST'],
5    port=os.environ['DB_PORT'],
6    name=os.environ['DB_NAME']



Step 1 – Create schema declaration

Instead of maintaining a .env file for each environment or Vault for production and possibly for other sensitive environments, create a .cfgu schema declaration for this service, so that each change will only have to be changed once (only the key in the schema) and then the values will be initialized by the same interface. Our schema will look like this:


2  "DB_USER": {
3    "type": "string",
4    "default": "user"
5  },
7    "type": "string",
8    "default": 123
9  },
10  "DB_HOST": {
11    "type": "IPv4",
12    "required": true,
13    "default": ""
14  },
15  "DB_PORT": {
16    "type": "Number",
17    "required": true,
18    "default": 5433
19  },
20  "DB_NAME": {
21    "type": "string",
22    "default": "database"
23  },
24  "DB_URL": {
25    "type": "String",
26    "template": "psql://{{DB_USER}}:{{DB_PASSWORD}}@{{DB_HOST}}:{{DB_PORT}}/{{DB_NAME}}",
27    "description": "Generates a full PostgreSQL URL connection"
28  }

Although saving configurations in the source control is considered to be bad practice, the Cfgu format is designed to be part of the code as it doesn’t include any sensitive values. Doing that increases developers’ velocity and helps them avoid leaving the terminal/IDE for other config management platforms.

Step 2 – Use defaults for local development

Running a local environment was never easier, choose your preferred way to inject your environment variables:

Run Configu seamlessly with your app

1configu eval --schema "./my-app.cfgu.json" --defaults | configu export --run "py"

Inject the variables into your shell

1configu eval --schema "./my-app.cfgu.json" --defaults | configu export --source

Download and use .env file or any other format you want

1configu eval --schema "./my-app.cfgu.json" --defaults | configu export --format "Dotenv" > .env.development

Step 3 – Manage configs in HashiCorp Vault using Configu Orchestrator

Using a single set of commands we can control any store from local files on git to secret managers. In the following example, we will manage our configs over our HashiCorp Vault secret manage.

Authenticate HashiCorp Vault

Configu’s CLI uses the standard env vars HashiCorp use, if you have the Vault CLI configured and working, there’s no special action to take. If not please configure your environment with the required variables (See variables here).

Upsert values

1configu upsert --store "hashicorp-vault" --schema "./my-app.cfgu.json" --set "prod" \
2    --config "DB_USER=user" --config "DB_PASSWORD=123" --config "DB_HOST=localhots" \
3    --config "DB_PORT=5433" --config "DB_NAME=database"

Export values

Same to the way we previously used the Cfgu defaults we can evaluate and export from any store we need.

1configu eval --store "hashicorp-vault" --schema "./my-app.cfgu.json" --set "prod" \
2    | configu export --run "py"

You’re done! This was a simple operation, but that’s the best way to show someone the power and the simplicity of Configu Orchestrator and how you can use it to manage your configuration automatically and safely using all your current stores.

You may also like

authorization over configuration banner image

Authorization Over Configurations using OpenFGA

Secure your application's configurations with fine-grained authorization using OpenFGA. Learn how to implement a simple authorization model and extend it to support more complex requirements.

Richard Akman on
Blog post cover

Configuration Management: What DevOps Teams Need to Know

Configuration management is a process for maintaining a product's performance and functional attributes with its requirements, design, and operational considerations.

Geva Perry on
Video first steps with configu

Video: First Steps with Configu

Learn how to simplify configuration management with Configu open-source software and cloud platform and the configuration-as-code approach.

Peleg Porat on
Video Exploring Configu Orchestrator

Video: Exploring Configu Orchestrator

This video walks you through the concept of configuration-as-code and how to use it with the open source Configu Orchestrator.

Peleg Porat on

Try Configu for free

Painless end-to-end configuration management platform

Get Started for Free