Use an SSH private key without writing it on the disk¶

Trying to use an SSH private key stored in the vault without writing it on disk ( Avoid writing secrets to the disk) can be complicated given that SSH cannot read private keys from the environment. One standard way of reading a private key from something else than a file is to use ssh-agent.

vault-cli ssh launches your process with an ssh-agent that has your key preloaded. While the usual way of using an ssh-agent is to launch a background process, ssh-agent can also be used on “one-shot” mode, executing a single command and then stopping. This is what vault-cli ssh does.

$ # If your key is not passphrase-protected
$ vault-cli ssh --key path/to/ssh_private_key:value -- ssh -T git@github.com

$ # If your key is passphrase-protected and the passphase is in the vault
$ vault-cli ssh \
  --key path/to/ssh_key:key \
  --passphrase path/to/ssh_key:passphrase \
  -- ssh -T git@github.com

vault-cli ssh can be used with ssh, but also with any program that uses ssh underneath, as long as it supports ssh-agent. This includes git, (which itself includes pip, npm etc.) and many others.

Combining with `vault-cli env`¶

If you need to have both ssh access and secrets as environment variables (see Launch a process with your secrets as environment variables), you can combine vault-cli env and vault-cli ssh:

$ # If your key is not passphrase-protected
$ vault-cli ssh --key path/to/ssh_private_key:value \
  -- vault-cli env --envvar myapp \
  -- myapp_that_needs_secrets_and_ssh

Fork me on GitHub