A C++ library for Hashicorp Vault
This project assumes a C++ 17 capable compiler. This includes GCC 8 or higher, and clang 3.8 or higher. Support for lower standards versions of C++ will not be accepted due to inconsistent implementations of optional.
- cURL
- Catch2 (test only)
The following example shows both a secret put and get. The most common scenario is get for most applications and the put will happen outside of the application by another process. Additional examples are located in the example directory.
#include <iostream>
#include <libvault/VaultClient.h>
int main(void)
{
Vault::HttpErrorCallback httpErrorCallback = [&](std::string err) {
std::cout << err << std::endl;
};
Vault::AppRoleStrategy authStrategy{
Vault::RoleId{"<role_id>"},
Vault::SecretId{"<secret_id>"}
};
Vault::Config config = Vault::ConfigBuilder().build();
Vault::Client vaultClient{config, authStrategy, httpErrorCallback};
Vault::SecretMount mount{"/test"};
Vault::KeyValue kv{vaultClient, mount};
Vault::Path key{"hello"};
Vault::Parameters parameters(
{
{"foo","world"},
{"baz","quux"},
{"something", "something else"},
}
);
kv.create(key, parameters);
std::cout << kv.read(key).value() << std::endl;
}This project uses nlohmann/json internally but does not expose it. This project makes no assumptions about serialization and returns std:string values that can be serialized by the tooling of your choice. Should you choose to use nlohmann/json you can add the json.hpp file to your project. This project's integration tests have multiple examples of how to use it.
The following tables show support for each of the secret backends, auth methods, and system endpoints. Because the surface area is so large, endpoints are implemented as needed. Pull requests are welcome. Feel free to file an issue or submit a pull request for additional support.
| Secret Backend | Implemented | Integration Tested |
|---|---|---|
| Active Directory | Yes | No |
| Ali Cloud | Yes | No |
| AWS | Yes | No |
| Azure | Yes | No |
| Consul | Yes | No |
| Cubbyhole | Yes | Yes |
| Cassandra | Yes | No |
| Couchbase | Yes | No |
| Elasticsearch | Yes | No |
| Influxdb | Yes | No |
| HanaDB | Yes | No |
| MongoDB | Yes | No |
| MongoDB Atlas | Yes | No |
| MSSQL | Yes | No |
| MySQL/MariaDB | Yes | No |
| Oracle | Yes | No |
| PostgreSQL | Yes | Partial |
| Redshift | Yes | No |
| Google Cloud | Yes | No |
| Google Cloud KMS | Yes | No |
| Key Management* | Yes | No* |
| KMIP | Yes | No* |
| Key/Value V1 | Yes | Partial |
| Key/Value V2 | Yes | Partial |
| Identity | Yes | No |
| MongoDB Atlas | Yes | No |
| Nomad | Yes | No |
| OpenLDAP | Yes | No |
| PKI | Yes | Partial |
| RabbitMQ | Yes | Partial |
| SSH | Yes | No |
| TOTP | Yes | Yes |
| Transform | Yes | No* |
| Transit | Yes | Partial |
* Requires an enterprise license and cannot be integration tested
| Auth Method | Implemented | Integration Tested |
|---|---|---|
| AliCloud | Yes | No |
| AppRole | Yes | Yes |
| AWS | Yes | No |
| Azure | Yes | No |
| Cloud Foundry | Yes | No |
| GitHub | Yes | No |
| Google Cloud | Yes | No |
| JWT/OIDC | Yes | No |
| Kerberos | Yes | No |
| Kubernetes | Yes | No |
| LDAP | Yes | No |
| OCI | Yes | No |
| Okta | Yes | No |
| RADIUS | Yes | No |
| TLS Certificate | Yes | No |
| Tokens | Yes | Yes |
| Username/Password | Yes | No |
* Requires an enterprise license and cannot be integration tested
| System Backend | Implemented | Integration Tested |
|---|---|---|
| /sys/health | Yes | Yes |
| /sys/leader | Yes | Yes |
| /sys/auth | Yes | Yes |
| /sys/wrapping | Yes | Yes |
| /sys/audit | Yes | No |
| /sys/audit-hash | Yes | No |
| /sys/capabilities | Yes | No |
| /sys/capabilities-accessor | Yes | No |
| /sys/capabilities-self | Yes | No |
| /sys/config/auditing | Yes | No |
| /sys/config/control-group | Yes | No |
| /sys/config/cors | Yes | No |
| /sys/config/state | Yes | No |
| /sys/config/ui | Yes | No |
| /sys/control-group | Yes | No |
| /sys/host-info | Yes | No |
| /sys/init | Yes | No |
| /sys/internal/counters | Yes | No |
| /sys/plugins/reload/backend | Yes | No |
| /sys/internal/ui/mounts | Yes | No |
| /sys/key-status | Yes | No |
| /sys/leases | Yes | No |
| /sys/license | Yes | No |
| /sys/metrics | Yes | No |
| /sys/mounts | Yes | No |
| /sys/remount | Yes | No |
| /sys/rotate | Yes | No |
| /sys/seal | Yes | No |
| /sys/seal-status | Yes | No |
| /sys/step-down | Yes | No |
| /sys/unseal | Yes | No |
| /sys/mfa | Yes | No |
| /sys/namespaces | Yes | No* |
| /sys/generate-root | Yes | No |
| /sys/internal/specs/openapi | Yes | No |
| /sys/plugins/catalog | Yes | No |
| /sys/policy | Yes | No |
| /sys/policies | Yes | No* |
| /sys/pprof | Yes | No |
| /sys/raw | Yes | No |
| /sys/sealwrap/rewrap | Yes | No |
| /sys/tools | Yes | No |
| /sys/rekey | No | No |
| /sys/rekey-recovery-key | No | No |
| /sys/replication | No | No |
| /sys/storage | No | No |
* Requires an enterprise license and cannot be integration tested
This project uses CMake. To build the library run the following commands from the project root:
mkdir build
cd build
cmake ../
makeThe following custom options can be provided to CMake to control your build:
ENABLE_TEST [ON|OFF]-[Default ON]Standard unit tests (Requires the Catch2 testing library)ENABLE_INTEGRATION_TEST [ON|OFF]-[Default OFF]Enable integration tests (Requires configured, running Vault)ENABLE_COVERAGE [ON|OFF]-[Default OFF]Enable gcov code coverageLINK_CURL [ON|OFF]-[Default OFF]Link curl library when compiling
This project uses a standard C++ development with CMake environment. Additionally, a running and configured instance of Vault is required to run the integration tests. This project contains scripts that will download Vault, configure it, and run it. You are of course welcome to use your own Vault instance, but you will need to use the configuration from the script folder for the tests to pass.
Use the provided scripts to setup and run your Vault environment:
$ script/fetch_vault
$ script/vault
# In another terminal window
$ script/bootstrapThis will ensure you have a working instance of Vault that will work with the integration tests. Note that this setup does not demonstrate a production worthy configuration and should only be used for reference or inside of this project. For you production Vault setup please consult the Hashicorp Vault best practices.