The aomi tool may make use of different sources of data when writing to the generic secret backend of Vault. The specified mountpoint must exist as a generic secret backend.
Generic Data Formats
The format will vary slightly depending on what your source data is. There are three types of static data which aomi may operate upon;
- Static files map files (binary or text) to a key in a Vault path.
- YAML variable files map a YAML file to a Vault path.
- Generated are random and by default write-once.
You may specify a list of files and their destination Vault secret item. Each
files section has a list of source files, and the key name they should use in Vault. Each instance of a
files section must also include a Vault mount point and path. If a file contains non-unicode characters it will be base64 encoded.
The following example would create two secrets (
public) based on the two files under the secrets directory and place them in the Vault path
secrets: - files: - source: id_rsa name: private - source: id_rsa.pub name: public mount: foo/bar path: 'baz'
YAML Variable Files
You may define a preset list of secrets and associate them with a mountpoint and path. The
var_file contains a list of YAML key value pairs. The following example would create two secrets (
password) at the Vault path
secrets: - var_file: 'foo.yml' mount: 'foo/bar' path: 'baz'
user: 'foo' password: 'bar'
The aomi tool has the ability to populate a generic Vault path with random secrets. You still specify the mountpoint, path, and keys but not the contents. By default this is a write once operation but you can change this with the
overwrite attribute. You can generate either random words or a uuid.
secrets: - generated: mount: 'foo' path: 'bar' keys: - name: 'username' method: 'words' - name: 'password' method: 'uuid' overwrite: true