aomi

Opinionlessly Express Opinions on Vault

If you want to just jump in, check out the quickstart.

Overview

The purpose of aomi is to provide a data model, suitable for use in a continuous delivery pipeline, to facilitate the storing of operational secrets within Hashicorp Vault. This data model is expressed as YAML in a file (generally) named Secretfile. You can then leverage this data model to provide consistent deployment of secrets in isolated environments with distinct Hashicorp Vault servers.

The aomi tool itself is quite flexible, but can be used to enforce rigorous opinions upon how an organization chooses to leverage Vault. The aomi tool may write to a variety of Vault backends.

Docker

The ability to use aomi to interact with Vault via a Docker container is key towards easily integrating with most modern continuous delivery pipelines. You can pass configuration into the aomi Docker container using either environment variables or files passed in during docker run.

To view perform an aomi seed using an existing Vault login on a workstation you could use something like the following.

docker run \
    -e VAULT_ADDR=$VAULT_ADDR \
    -v ${HOME}/.vault-token:/.vault-token \
    -v ${HOME}/src/example \
    autodesk/aomi \
    seed

Requirements

The aomi tool has several requirements which can (generally) all be sourced from PyPI.

The PyYAML package, by default, will make use of libyaml. This can be a problem on some systems as you may need to manually install libyaml.

You should be using a recent enough version of Python to have good TLS support. Vault can make use of SNI and that requires Python 3.0 or a fresh Python 2.7.

Tests run (both locally and on Travis) in isolation using virtualenv so you must have this installed if you wish to do active development on aomi.