TemplateVault 1.3.0

.NET 5.0
dotnet tool install --global TemplateVault --version 1.3.0
This package contains a .NET tool you can call from the shell/command line.
dotnet new tool-manifest # if you are setting up this repo
dotnet tool install --local TemplateVault --version 1.3.0
This package contains a .NET tool you can call from the shell/command line.
#tool dotnet:?package=TemplateVault&version=1.3.0
nuke :add-package TemplateVault --version 1.3.0

Template Vault

A simple tool to generate local dev config files from a template in git using values stored in Hasicorp Vault.

Using Template Vault


Before being used Template Vault must be installed. It is published as a DotNet tool and can easily be installed via nuget like so:

$ dotnet tool install --global TemplateVault

This installation only needs to be done once.


Run using the input template file as the first argument:

$ TemplateVault appsettings.local.json.tmpl --auth okta

The template file should end in the extension .tmpl or .tpl

The output file will be the name of the input file excluding this extension.


Vault Root Url

Templates must include a comment containing the root Vault url to use like so:

// {{VAULTROOT: https://vault.example.com}}

The Vault root url may include a default path to search for secrets like so:

// {{VAULTROOT: https://vault.example.com/secrets/default}}

Secret Paths

Secrets are included in the template inside pairs of double curly braces and may be absolute or relative:



Assuming the vault root is set to https://vault.example.com/secrets/default both of the above would resolve to the same secret.

Note that common relative folder operators . (current folder) and .. (up one directory) are not supported.


Input Template
// {{VAULTROOT: https://vault.example.com/secrets/default}}
Output File
// {{VAULTROOT: https://vault.example.com/secrets/default}}

Note on Secret Paths

A secret in Vault is technically identified by three pieces of information: the mount point, the path, and the secret key/name. Template Vault abstracts this away so that the mount point is prepended to the beginning of the path and the key/name appended to the end of the path. The mount point and key/name must always be included in the path. The mount point can be provided by Vault root for relative secret paths. But it must always be included in the beginning of absolute secret paths.

For example, given a mount point secrets, a path default/my-secrets, and a key/name secret1 the full path must be secrets/default/my-secrets/secret1. All of the below would resolve to this secret.

Vault Root Path
https://vault.example.com secrets/default/my-secrets/secret1
https://vault.example.com/secrets/default/my-secrets secret1
https://vault.example.com/secrets/default/my-secrets /secrets/default/my-secrets/secret1

Note how in the last example the path is defined as an absolute path so it ignored the path included in the Vault root.


Auth Types

Currently the following auth types are supported:

Command Line Description
--auth approle AppRole authentication
--auth azure Azure JWT authorization
--auth github GitHub private token authentication
--auth gcp Google Cloud JWT authentication
--auth jwt JWT authentication
--auth kerbos Kerbos username and password authentication
--auth kubernetes Kubernetes JWT authentication
--auth ldap LDAP username and password authentication
--auth okta OKTA username and password authentication
--auth radius RADIUS username and password authentication
--auth token Vault Token authentication
--auth userpass Vault username and password authentication (default)

Vault Username/Password authentication is the default, if no --auth parameter is supplied it will be used.

Non-Standard Auth Mounts

In some cases the auth backend is mounted in Vault in a non-standard location. If this is the case the --auth-mount option can be provided with the location of the auth mount point to use.

Escaping Within Replaced Values

By default, any double quotes (") or newlines within the values pulled from vault will be replaced with \" and \n respectively.

To disable this behavior use the command line switch --no-escape

Product Compatible and additional computed target framework versions.
.NET net5.0 is compatible.  net5.0-windows was computed.  net6.0 was computed.  net6.0-android was computed.  net6.0-ios was computed.  net6.0-maccatalyst was computed.  net6.0-macos was computed.  net6.0-tvos was computed.  net6.0-windows was computed.  net7.0 was computed.  net7.0-android was computed.  net7.0-ios was computed.  net7.0-maccatalyst was computed.  net7.0-macos was computed.  net7.0-tvos was computed.  net7.0-windows was computed.  net8.0 was computed.  net8.0-android was computed.  net8.0-ios was computed.  net8.0-maccatalyst was computed.  net8.0-macos was computed.  net8.0-tvos was computed.  net8.0-windows was computed. 
Compatible target framework(s)
Additional computed target framework(s)
Learn more about Target Frameworks and .NET Standard.

This package has no dependencies.

Version Downloads Last updated
1.3.0 423 5/11/2022
1.0.0 361 5/11/2022