| Ideally you would fetch values directly from Vault, e.g. using the REST API, ideally with SSL (but that depends on the environment your app is running in /etc.) or using the vault command. One can either access the Vault REST API directly inside the app itself, or one can pull data from it in a script file that launches the app, etc. and set any necessary environment vars dynamically before launching the app. e.g. in a launch script you might do something like (sorry, no idea how to do preformatted text on HN) : SOME_KEY=$(curl [access-your-vault-appropriately-here-using-access-tokens-etc] | jq whatever) Or, in wrapper launch scripts, instead of using the REST API directly with curl, instead use the vault command directly, if it's installed, e.g. SOME_KEY=$(vault kv get foo/whatever) Although you'd also need to do some calls upfront first, to authenticate and get an access token, before querying for data/secrets. But doing these kinds of calls, in the global environment gives those secrets to, well, everything in the global environment. If you need to pass a vault secret to some specific app, then you want to read from the vault as close to that app's launch as possible, e.g. in a wrapper script that launches that app (instead of launching it 'naked', and leaving it to read from global environment) - or by actually accessing the vault directly from within the app (which isn't gonna be possible with third-party stuff, unless it already supports your vault natively) |