Support Vault as credential provider #3
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
There was a problem hiding this comment.
Pull request overview
This PR adds support for using Vault/OpenBao as a credentials provider, enabling ID token exchange for secrets via JWT authentication. The implementation includes automatic credential refresh, support for both dynamic and static secrets, and configurable polling intervals for secrets without TTL.
Key Changes:
- Implements Vault credentials provider with JWT auth-based token exchange and secret retrieval
- Enhances static token provider to parse JWT expiration times
- Extends credential equality logic to support
VaultSecrettype
Reviewed changes
Copilot reviewed 7 out of 8 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| pkg/vault/option.go | Defines configuration options for Vault credential provider (JWT auth path, role name, secret path, polling interval) |
| pkg/vault/creds.go | Implements core Vault credentials provider with JWT authentication, secret retrieval, and automatic refresh logic |
| pkg/token/static_token_provider.go | Adds JWT parsing to extract expiration time from static tokens |
| pkg/credential/result.go | Introduces VaultSecret type for Vault credential data |
| pkg/credential/equal.go | Adds equality comparison support for VaultSecret credentials |
| go.mod | Updates Go version and adds OpenBao/Vault client dependencies |
| README.md | Documents Vault credentials provider usage with example code |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Co-authored-by: Copilot <[email protected]> Signed-off-by: Toader Sebastian <[email protected]>
rappizs
reviewed
Dec 29, 2025
rappizs
approved these changes
Jan 5, 2026
bonifaido
approved these changes
Jan 5, 2026
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This pull request introduces support for Vault as a credentials provider, allowing the library to exchange ID tokens for secrets from OpenBao/Vault using JWT authentication. The changes include a new implementation for Vault credentials, updates to the credential equality logic, and documentation and dependency updates to support this new feature.
Vault Credentials Provider Integration:
VaultSecrettype to thecredentialpackage for representing secrets fetched from Vault, and updated the credential equality logic to supportVaultSecret.vaultpackage with aCredentialsProviderthat exchanges ID tokens for Vault tokens using JWT auth and retrieves secrets, including logic for refreshing credentials and handling both dynamic and static secrets.README.md) to describe the new Vault credentials provider and provide example usage.Other Improvements: