Skip to main content

AUTO-REFRESH CLOUD CREDENTIALS

Vault refresh hooks re-run a shell command to fetch a fresh credential when the stored value becomes stale. This guide shows how to configure refresh hooks for common cloud credential tools.

Google Cloud (gcloud)

Store a GCP access token that refreshes every 50 minutes:

$ swamp vault put my-vault GCP_TOKEN \
    --refresh-from "gcloud auth print-access-token" \
    --refresh-ttl 50m
Enter value for GCP_TOKEN: ********
INF vault·put Stored secret "GCP_TOKEN" in vault "my-vault"

The initial value is stored immediately. After 50 minutes, the next vault.get() call runs gcloud auth print-access-token and replaces the stored value with its output.

To confirm the hook is configured:

$ swamp vault inspect my-vault GCP_TOKEN
INF vault·inspect Metadata for "GCP_TOKEN" in vault "my-vault":
INF vault·inspect   refresh:
INF vault·inspect     command: "gcloud auth print-access-token"
INF vault·inspect     ttl: "50m"
INF vault·inspect     last refreshed: never

AWS SSO

Store an AWS session token that refreshes every 8 hours:

$ swamp vault put my-vault AWS_SESSION_TOKEN \
    --refresh-from "aws sso get-role-credentials --role-name MyRole --account-id 123456789012 --region us-east-1 --output text --query 'roleCredentials.sessionToken'" \
    --refresh-ttl 8h
Enter value for AWS_SESSION_TOKEN: ********
INF vault·put Stored secret "AWS_SESSION_TOKEN" in vault "my-vault"

The refresh command must produce the credential value on stdout. Use --query and --output text to extract the token from the AWS CLI JSON response.

kubectl OIDC

Store a Kubernetes OIDC token that refreshes every 55 minutes:

$ swamp vault put my-vault K8S_TOKEN \
    --refresh-from "kubectl config view --raw -o jsonpath='{.users[0].user.token}'" \
    --refresh-ttl 55m
Enter value for K8S_TOKEN: ********
INF vault·put Stored secret "K8S_TOKEN" in vault "my-vault"

Remove a Refresh Hook

To stop auto-refreshing a secret, use --clear-refresh:

$ swamp vault put my-vault GCP_TOKEN --clear-refresh --force
INF vault·put Stored secret "GCP_TOKEN" in vault "my-vault"

The secret value is preserved. Only the refresh hook is removed.

Reference

Refer to the Vaults reference for the full specification of refresh hook behavior, failure semantics, and inspect output format.

← PreviousMigrate a VaultNext →Giga-Swamp