lucasberto/laravel-vault

An easy Laravel integration for HashiCorp Vault

Maintainers

Details

github.com/lucasberto/laravel-vault

Source

Issues

Installs: 950

Dependents: 0

Suggesters: 0

Security: 0

Stars: 1

Watchers: 1

Forks: 0

Open Issues: 0

1.0.6 2025-02-18 13:47 UTC

Requires

Requires (Dev)

MIT a99ce44a29e6f70fa5aa8b9b0c4edc9c086dada8

  • Lucas Berto

securitystorageencryptionlaravelcredentialskey-valuesecretsvaulthashicorp

This package is auto-updated.

Last update: 2025-06-18 14:25:55 UTC

README

A package for simple and easy Laravel and HashiCorp Vault integration.

Features

  • Simple integration with HashiCorp Vault
  • Support for multiple Vault servers
  • Clean facade-based API

Supported Secret Engines (will add more in the future):

  • KV Secrets Engine v1
  • KV Secrets Engine v2

Requirements

  • PHP 8.1 or higher
  • Laravel 9, 10, or 11
  • HashiCorp Vault 1.12 or higher

Installation

You can install the package via composer:

composer require lucasberto/laravel-vault

Configuration

After installing the package, you need to publish the configuration file:

php artisan vendor:publish --tag=vault-config

This will create a config/vault.php file in your project.

Also, you need to add the following lines to your .env file:

# Required configs
VAULT_ADDR=http://127.0.0.1:8200
VAULT_TOKEN=your-token-here

# Optional configs
VAULT_TIMEOUT=10   # Default: 30
VAULT_KV_ROOT=kv-v2 # Default: secret

If you want to use multiple Vault servers, you can add more addresses and tokens to the .env file:

VAULT_SECONDARY_ADDR=http://vault2.example.com:8200
VAULT_SECONDARY_TOKEN=another-token

# Optional configs
VAULT_SECONDARY_TIMEOUT=20   # Default: 30
VAULT_SECONDARY_KV_ROOT=kv-v2 # Default: secret

And update the config/vault.php file accordingly.

'servers' => [
        'main' => [
            'address' => env('VAULT_ADDR', 'http://127.0.0.1:8200'),
            'token' => env('VAULT_TOKEN'),
            'timeout' => env('VAULT_TIMEOUT', 30),
            'kv_root' => env('VAULT_KV_ROOT', 'secret'),
        ],
        'secondary' => [
            'address' => env('VAULT_SECONDARY_ADDR'),
            'token' => env('VAULT_SECONDARY_TOKEN'),
            'timeout' => env('VAULT_SECONDARY_TIMEOUT', 30),
            'kv_root' => env('VAULT_SECONDARY_KV_ROOT', 'secret'),
        ],
    ],

Usage

Basic Usage

use Lucasberto\LaravelVault\Facades\Vault;


// List secrets (KV v2)
$secrets = Vault::listSecrets('path/to/secrets');
// List secrets (KV v1)
$secrets = Vault::listSecrets('path/to/secrets', 1);


// Get a secret (KV v2)
$secret = Vault::getSecret('path/to/secret');
// Using KV v1
$secret = Vault::getSecret('path/to/secret', 1);


// Store a secret (KV v2)
Vault::putSecret('path/to/secret', [
    'username' => 'admin',
    'password' => 'secret'
]);
// Store a secret (KV v1)
Vault::putSecret('path/to/secret', [
    'username' => 'admin',
    'password' => 'secret'
], 1);


// Delete a secret (KV v2)
Vault::deleteSecret('path/to/secret');
// Delete a secret (KV v1)
Vault::deleteSecret('path/to/secret', 1);

// Check if vault is unsealed
$isUnsealed = Vault::isUnsealed();

// Seal vault
$sealed = Vault::seal();

// Unseal vault (one call per key, after n calls, vault is unsealed)
Vault::unseal('key');

// Get vault health
$health = Vault::health();

// It is also possible to use a custom client (of type GuzzleHttp\Client)
$config = app()->config['vault']['servers']['main'];
$httpClient = new \GuzzleHttp\Client([
    'base_uri' => $config['address'],
    'headers' => [
        'X-Vault-Token' => $config['token'],
    ],
    'timeout' => $config['timeout'],
]);
$vaultClient = new Lucasberto\LaravelVault\VaultClient($config, $httpClient);
$vaultClient->getSecret('path/to/secret');

Multiple servers

// Use default connection
$secret = Vault::getSecret('path/to/secret');

// Use specific connection
$secret = Vault::connection('secondary')->getSecret('path/to/secret');