Vault CLI in Containers


In many CI/CD workflows interfacing with Hashicorp Vault is required.

However, their CLI (or better called unified binary1) is stupidly big with more than 400MB and they seem to have no interest in making it any smaller2.

This is often a undesired size increase, especially when optimizing for pull and run time in CI/CD.

This note outlines a solution that brings us down from 400MB+ on disk for vault to about 300KB using curl and jq.

Optimizing things

The simple actions of getting keys in Vault can easily be expressed using plain curl, in combination with a bit of jq or bash.

I will demonstrate with this simple example: Getting the value of a key in a secret for use somewhere else

With the vault CLI:

vault kv get -address="vault-host"  -mount=X -field=username Some/secret/path
# myusername

We could simply build the curl command ourself, but vault has the -output-curl-string flag that gives us a curl command to work with:

vault kv get -address="vault-host"  -mount=X -field=username -output-curl-string Some/secret/path
# curl -H "X-Vault-Token: $(vault print token)" -H "X-Vault-Request: true" https://vault-host/v1/X/data/Some/secret/path

This command might already be enough for your use-case, but it does not replicate the -field=username parameter yet, instead it outputs the whole object. Using jq we can achieve the exact same output as the original vault command.

curl -H "X-Vault-Token: $VAULT_TOKEN" -H "X-Vault-Request: true" https://vault-host/v1/X/data/Some/secret/path --silent | jq .data.data.username -r
# myusername

See also