artificery/dew
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
dew/docs/features/vault.md

3.6 KiB
Raw Blame History

Dew Vault Secret Manager

Dew Vault stores project secrets as encrypted files under .project/vault. By default the vault password is stored in .project/secrets/dew.vault.password.

Config

Vault settings live in .project/dew.yaml under dew.vault.

dew:
  vault:
    password_file: .project/secrets/dew.vault.password
    storage_dir: .project/vault
    generators:
      postgres_password:
        type: random_password
        description: Generate random PostgreSQL passwords.
        config:
          length: 64
          include_symbols: true
      jwt_secret:
        type: random_token
        description: Generate JWT signing secrets.
        config:
          encoding: base64
          bytes: 48
      service_uuid:
        type: uuid_v4
        description: Generate stable-looking unique IDs.

generators maps a generator name to a built-in generator definition. Values under config are defaults and can be overridden per command invocation or in secret rotation metadata.

Built-in generator types are resolved inside Dew, so secrets can be generated without depending on host binaries.

Commands

Most commands support --format [default|json] (default is default) for machine-friendly automation.

Initialize Vault

Initialize vault directories and password file.

dew vault init
dew vault init --password-file .project/secrets/dew.vault.password
dew vault init --storage-dir .project/vault

List all secrets

dew vault list
dew vault list --format json

Set a secret

set stores or replaces a secret and optional metadata.

dew vault set --name DB_PASSWORD --file /path/to/secret.txt
dew vault set --name DB_PASSWORD --env ENV_VAR_NAME

Get a secret

dew vault get --name DB_PASSWORD
dew vault get --name DB_PASSWORD --format json

Update a secret

update patches secret metadata and/or value. Omit value source flags to edit metadata only.

dew vault update --name DB_PASSWORD --metadata '{"rotation":{"enabled":true,"generator":"postgres_password","length":64}}'
dew vault update --name DB_PASSWORD --metadata-file .project/vault/db_password.meta.json

Rename a secret

dew vault rename --from OLD_NAME --to NEW_NAME
dew vault rename --from OLD_NAME --to NEW_NAME --format json

Generate a secret value

generate uses configured generators without writing to the vault by default.

dew vault generate --generator postgres_password --arg length=64 --arg include_symbols=true
dew vault generate --generator jwt_secret --arg bytes=64 --arg encoding=base64
dew vault generate --generator postgres_password --arg service=payments --arg username=app_user --format json

Rotate secrets

rotate rewraps secrets with a new vault password when run without a name. When run with a secret name, it rotates only that secret.

dew vault rotate
dew vault rotate --name DB_PASSWORD
dew vault rotate --name DB_PASSWORD --format json

Delete a secret

dew vault delete --name DB_PASSWORD
dew vault delete --name DB_PASSWORD --format json

Metadata format for rotation-aware secrets

Attach arbitrary metadata and include rotation policy details. Example shape:

{
  "rotation": {
    "generator": "postgres_password",
    "service": "payments",
    "username": "app_user",
    "length": 64
  },
  "notes": "Rotate monthly and update app config via sidecar"
}

Rotation flow:

  1. Define a built-in generator in dew.yaml under dew.vault.generators.
  2. Attach rotation.generator and generator args to secret metadata.
  3. Run dew vault rotate --name ... to rotate one secret, or dew vault rotate to rotate all secrets.