Store JSON Secret in Vault

26 April 2024

[security]

Here's how to store a JSON secret in Vault and parse it out.

JSON Secrets

Some secrets have more than a single value. An example would be a service account for Google Cloud. They give you a JSON file with a private key, client email, and other value.

The pkey.json looks something like this:

{
  "type": "service_account",
  "project_id": "my-proj",
  "private_key_id": "some-key",
  "private_key": "some-other-key",
  "client_email": "some@email.com",
  "etc": "and so on"
}

Vault

Vault is a Hashicorp product that allows you to share secrets with your application environment at runtime via a vault client.

Prep the JSON

Whatever the secret is, it needs to fit on a single line to be seen as a single value. For this purpose, we'll compact our json using jq:

cat pkey.json | jq -c > pkey-compact.json

Store JSON

Once you install the vault cli, storing JSON can be accomplished like any other secret in Vault:

vault kv put --namespace=admin/dev -mount=secret/my-proj/api-creds SECRET_KEY @pkey-compact.json

The -mount is the path within the vault to store the secret. The SECRET_KEY is the name of the secret. The @ preceding the pkey-compact.json filename indicates that it's a file on the filesystem to read the value of.

Parse JSON

In code, then, when retrieving the secret, it'll need parsed from string to JSON. For example, in JavaScript:

const secret = JSON.parse(process.env.SECRET_KEY)