Merge #11529: Read vault token from ~/.vault-token

CHANGELOG.md

@@ -27,6 +27,8 @@ IMPROVEMENTS:
    command to initialize a new or existing Terraform configuration.
  * provisioners: All provisioners now respond very quickly to interrupts for
    fast cancellation. [GH-10934]
+ * provider/vault: read vault token from `~/.vault-token` as a fallback for the
+   `VAULT_TOKEN` environment variable. [GH-11529]
 
 BUG FIXES:
 

builtin/providers/vault/provider.go

@@ -2,12 +2,14 @@ package vault
 
 import (
 	"fmt"
+	"io/ioutil"
 	"log"
 	"strings"
 
 	"github.com/hashicorp/terraform/helper/schema"
 	"github.com/hashicorp/terraform/terraform"
 	"github.com/hashicorp/vault/api"
+	"github.com/mitchellh/go-homedir"
 )
 
 func Provider() terraform.ResourceProvider {
@@ -22,7 +24,7 @@ func Provider() terraform.ResourceProvider {
 			"token": &schema.Schema{
 				Type:        schema.TypeString,
 				Required:    true,
-				DefaultFunc: schema.EnvDefaultFunc("VAULT_TOKEN", nil),
+				DefaultFunc: schema.EnvDefaultFunc("VAULT_TOKEN", ""),
 				Description: "Token to use to authenticate to Vault.",
 			},
 			"ca_cert_file": &schema.Schema{
@@ -122,6 +124,21 @@ func providerConfigure(d *schema.ResourceData) (interface{}, error) {
 		return nil, fmt.Errorf("failed to configure Vault API: %s", err)
 	}
 
+	token := d.Get("token").(string)
+	if token == "" {
+		// Use the vault CLI's token, if present.
+		homePath, err := homedir.Dir()
+		if err != nil {
+			return nil, fmt.Errorf("Can't find home directory when looking for ~/.vault-token: %s", err)
+		}
+		tokenBytes, err := ioutil.ReadFile(homePath + "/.vault-token")
+		if err != nil {
+			return nil, fmt.Errorf("No vault token found: %s", err)
+		}
+
+		token = strings.TrimSpace(string(tokenBytes))
+	}
+
 	// In order to enforce our relatively-short lease TTL, we derive a
 	// temporary child token that inherits all of the policies of the
 	// token we were given but expires after max_lease_ttl_seconds.
@@ -135,7 +152,7 @@ func providerConfigure(d *schema.ResourceData) (interface{}, error) {
 	// can explicitly be revoked, and this limited scope won't apply to
 	// any secrets that are *written* by Terraform to Vault.
 
-	client.SetToken(d.Get("token").(string))
+	client.SetToken(token)
 	renewable := false
 	childTokenLease, err := client.Auth().Token().Create(&api.TokenCreateRequest{
 		DisplayName:    "terraform",

website/source/docs/providers/vault/index.html.markdown

@@ -84,6 +84,8 @@ variables in order to keep credential information out of the configuration.
 
 * `token` - (Required) Vault token that will be used by Terraform to
   authenticate. May be set via the `VAULT_TOKEN` environment variable.
+  If none is otherwise supplied, Terraform will attempt to read it from
+  `~/.vault-token` (where the vault command stores its current token).
   Terraform will issue itself a new token that is a child of the one given,
   with a short TTL to limit the exposure of any requested secrets.