-
Notifications
You must be signed in to change notification settings - Fork 5
Example: Importing vault contents at startup
Importing your vault contents might be a good idea when:
- Your tests need to set up a baseline of vault contents every time they run
- You want to avoid using the management API for creating custom named vaults
If one or more of these cases apply to your use-case, you can generate the vault contents once and simply import it at start by following a few simple steps which are outlined on this page.
To achieve this, you can start your Lowkey Vault instance as usual.
- You can provide the
LOWKEY_VAULT_NAMES
parameter to initialize the vault contents with custom vaults as described here; OR - You can rely on the default vaults; OR
- You can turn off auto-registration of vaults by using
--LOWKEY_VAULT_NAMES=-
and rely on the management API; OR - You can use a combination of the above.
Once your vault is up and running, you can use the supported endpoints of the standard Azure Key Vault REST API for Keys and Secrets (or any of the official SDKs supporting them) to populate it with content.
Lowkey Vault comes with a management API, which lets you export the content of all active vaults by a few clicks.
This endpoint will return the content in a JSON format, which you can save in a file.
The exported content can be customized with template variables, which can help in case you need to make your exported data more generic and guarantee that:
- Your vault name will match the actual host name/IP your container uses when you start it
- Your vault URL contains the same port your container uses (or which your container maps to on the host)
- The timestamps of the exported keys/secrets are automatically adjusted relative to the time you import them
If any of these apply to your situation, you can use the {{host}}
, {{port}}
, {{now <offset_seconds>}}
Handlebars placeholders to do so as described here.
Once finished, you can have something like this example.
If you are using the Jar, you can simply provide the parameters as described here.
Note: It is a good idea to pass LOWKEY_VAULT_NAMES=-
as well when importing vault contents to avoid collisions between the default vaults registered and the ones which are imported right after the defaults are created. If a collision happens, import will fail.
When using Docker, you need to consider that the directory containing your import file on the host must be mounted under the /import
path in your container. Also, you must pass each parameter inside the LOWKEY_ARGS
environment variable. There are two example projects prepared which are each attaching the folder and importing the import file while using the supported placeholders too. You can find these using the following links: