From 9939fa097129ac93b3be41fefe1e10a5bedabbdc Mon Sep 17 00:00:00 2001 From: Alex Dadgar Date: Tue, 1 Nov 2016 12:37:27 -0700 Subject: [PATCH] Read from env --- command/agent/command.go | 10 +++++++++- website/source/docs/agent/config.html.md | 7 +++++-- 2 files changed, 14 insertions(+), 3 deletions(-) diff --git a/command/agent/command.go b/command/agent/command.go index e059f8eb6..9b1348c94 100644 --- a/command/agent/command.go +++ b/command/agent/command.go @@ -272,6 +272,13 @@ func (c *Command) readConfig() *Config { c.Ui.Error("WARNING: Bootstrap mode enabled! Potentially unsafe operation.") } + // Check to see if we should read the Vault token from the environment + if config.Vault.Token == "" { + if token, ok := os.LookupEnv("VAULT_TOKEN"); ok { + config.Vault.Token = token + } + } + return config } @@ -918,7 +925,8 @@ Vault Options: -vault-token= The Vault token used to derive tokens from Vault on behalf of clients. - This only needs to be set on Servers. + This only needs to be set on Servers. Overrides the Vault token read from + the VAULT_TOKEN environment variable. -vault-allow-unauthenticated Whether to allow jobs to be sumbitted that request Vault Tokens but do not diff --git a/website/source/docs/agent/config.html.md b/website/source/docs/agent/config.html.md index 3b83d670b..e0dbefed5 100644 --- a/website/source/docs/agent/config.html.md +++ b/website/source/docs/agent/config.html.md @@ -333,7 +333,9 @@ integration and are entirely optional. * `token`: Token is used by Servers to derive child token's for jobs requesting tokens. As such it does not need to be specified by the Client. Visit the [Vault Integration](/docs/vault-integration/index.html) - documentation to see how to generate an appropriate token. + documentation to see how to generate an appropriate token. The VAULT_TOKEN + environment variable is used when starting the agent. If a flag or + configuration specifies a value they take precedence. * `allow_unauthenticated`: allows users to submit jobs requiring Vault tokens without providing a Vault token proving they have access to these policies. @@ -662,7 +664,8 @@ via CLI arguments. The `agent` command accepts the following arguments: * `-vault-enabled`: Whether to enable or disabled Vault integration. * `-vault-address=`: The address to communicate with Vault. * `-vault-token=`: The Vault token used to derive tokens. Only needs to - be set on Servers. + be set on Servers. Overrides the Vault token read from the VAULT_TOKEN + environment variable. * `-vault-ca-file=`: Path to a PEM-encoded CA cert file used to verify the Vault server SSL certificate. * `-vault-ca-path=`: Path to a directory of PEM-encoded CA cert files used