VaultX

Modern, enterprise-grade HashiCorp Vault client for Elixir.

Overview

VaultX is a high-level, production-ready Elixir client for HashiCorp Vault that focuses on:

Simplicity: A small, consistent API for common Vault tasks
Correctness: Typed interfaces, robust error handling, safe defaults
Performance: Pooled connections, adaptive retries, native JSON
Observability: Structured logging and optional telemetry
Security: Conservative security defaults, comprehensive validation
BEAM-Native: Designed for OTP distribution and hot code reloading workflows

What is VaultX

VaultX is an Elixir library that wraps Vault's HTTP API with an ergonomic, stateless interface. It provides comprehensive support for:

Core Features

Secrets Management: KV v1/v2 and other engines (read, write, delete, list)
System Operations: Health checks, seal status, initialization
Lease Management: Lookup, renew, revoke, tidy, and bulk operations
Audit Devices: List, enable, and disable audit logging
Authentication: Multiple auth methods with high-level authenticate interface

Supported Secrets Engines

Engine	Description
Key-Value (KV)	Both v1 and v2 with automatic version detection
PKI	Certificate authority management and certificate lifecycle
Transit	Encryption as a service and key management
AWS	Dynamic credential generation for AWS services
TOTP	Time-based one-time password generation
RabbitMQ	Dynamic RabbitMQ credentials
Consul	Dynamic Consul credentials

Supported Auth Methods

Method	Description
Token	Direct token authentication and validation
AppRole	Machine-to-machine authentication
JWT/OIDC	JSON Web Token authentication
AWS	AWS IAM authentication
Azure	Azure Active Directory authentication
GitHub	GitHub organization authentication
LDAP	Lightweight Directory Access Protocol
UserPass	Username and password authentication
AliCloud	Alibaba Cloud authentication

Supported System Backend

Operation	Description
Audit Devices	List, enable, and disable audit logging devices
Mounts	Manage secrets engine mount points and configuration
Policies	Create, read, update, and delete ACL/RGP/EGP policies
Namespaces	Enterprise namespace management and isolation
Health & Status	Health checks, seal status, and leader information
Initialization	Vault initialization and unseal operations
Leases	Lease lookup, renewal, revocation, and management
Seal Management	Seal, unseal, and seal backend status operations
Monitoring	System monitoring and operational metrics
Tools	Administrative tools and utilities

Why Use VaultX

Modern software works because of secrets. Secrets are sensitive, discrete pieces of information like credentials, encryption keys, authentication certificates, and other critical pieces of information your applications need to run consistently and securely.

VaultX helps harden applications by centralizing secret management:

Manage Static Secrets

Store and rotate arbitrary secrets in Vault with the Key/Value engines. VaultX encrypts data before writing to persistent storage, ensuring raw storage access is insufficient to compromise information.

Manage Dynamic Secrets

Generate and revoke on-demand credentials for database systems and cloud providers like AWS. Control access to external information like encryption keys and cloud credentials with automatic lifecycle management.

Manage Certificates

Configure VaultX to work with certificate authorities to manage certificate lifecycles and authenticate clients. Support for PKI operations including root CA management and certificate issuance.

Manage Identities and Authentication

Control client access to sensitive information with managed entities, identity tokens, and comprehensive authentication workflows supporting multiple identity providers.

Secure Sensitive Data

Define custom parameters to encrypt or tokenize sensitive data in transit and at rest without storing the data in Vault, using the Transit secrets engine.

Support Regulatory Compliance

Configure VaultX as part of HSM solutions, FIPS compliant architectures, with comprehensive audit logging for security compliance requirements.

How VaultX Works

VaultX implements HashiCorp Vault's core workflow with four stages:

Authenticate: Clients supply information that VaultX uses to determine identity through various auth methods
Validation: VaultX validates clients against third-party trusted sources like GitHub, LDAP, AppRole, and more
Authorize: Clients are matched against Vault security policies defining API endpoint access
Access: VaultX grants access to secrets, keys, and encryption capabilities based on associated policies

Architecture

VaultX follows modern Elixir library conventions:

Stateless: No GenServer or caching, pure function-based operations
Dynamic: Configuration changes take effect immediately
Hierarchical: Environment variables override application configuration
Validated: Comprehensive validation using NimbleOptions
Secure: Built-in security validation and best practices

Operations

Secrets Management

# Read from KV v2
{:ok, data} = VaultX.Client.read("secret/data/myapp/config")

# Write secrets
:ok = VaultX.Client.write("secret/data/myapp/config", %{"key" => "value"})

# List secrets
{:ok, keys} = VaultX.Client.list("secret/myapp/")

# Delete secrets
:ok = VaultX.Client.delete("secret/myapp/config")

System Operations

# Health checks
{:ok, health} = VaultX.Client.health()

# Seal status
{:ok, seal} = VaultX.Client.seal_status()

Lease Management

# Lookup lease
{:ok, lease} = VaultX.Sys.Leases.lookup("aws/creds/deploy/abcd-1234")

# Renew lease
{:ok, renewed} = VaultX.Sys.Leases.renew("aws/creds/deploy/abcd-1234", 1800)

# Revoke lease
:ok = VaultX.Sys.Leases.revoke("aws/creds/deploy/abcd-1234")

Audit Devices

VaultX provides comprehensive audit device management for security compliance:

# List audit devices
{:ok, devices} = VaultX.Sys.Audit.list()

# Enable file audit
{:ok, _} = VaultX.Sys.Audit.enable("file-audit", "file", %{
  file_path: "/var/log/vault/audit.log"
})

# Disable audit device
{:ok, _} = VaultX.Sys.Audit.disable("file-audit")

Audit devices provide detailed logging of all Vault operations, supporting:

File-based auditing: Write audit logs to local files
Syslog integration: Send audit logs to syslog
Socket-based auditing: Stream audit logs over network sockets
Multiple devices: Enable multiple audit devices for redundancy

Security

VaultX implements HashiCorp Vault's security model with enterprise-grade features:

Encryption Barrier

All data is encrypted before storage using Vault's encryption barrier. The storage backend is considered untrusted, ensuring data remains secure even if storage is compromised.

Authentication & Authorization

Identity-based access: All operations require authenticated identity
Policy-based authorization: Fine-grained access control through policies
Token lifecycle management: Automatic token renewal and revocation
Audit logging: Comprehensive logging of all operations

TLS & Network Security

TLS by default: All communications encrypted in transit
Certificate validation: Comprehensive SSL/TLS certificate verification
mTLS support: Mutual TLS authentication for high-security environments
Security headers: Validation of security headers for compliance

Limited Docker/Kubernetes Ecosystem Support

[!WARNING] This project has not been tested or validated for use with Docker or Kubernetes environments. While VaultX may work in containerized deployments, we do not provide official support, testing, or documentation for Docker/Kubernetes integration patterns.

VaultX is a library, not a sidecar/agent/operator. We intentionally focus on Elixir application integration instead of container ecosystems. As a result, we do not ship:

A Vault agent sidecar, injector, or CSI driver
A Kubernetes operator/CRDs or admission webhooks

Rationale

The limited Docker/Kubernetes ecosystem support is largely influenced by the philosophy behind DeployEx, a lightweight deployment tool designed for managing BEAM applications (Elixir, Erlang, Gleam) without relying on additional deployment tools like Docker or Kubernetes.

Key reasons for this approach:

Keep the core library small, fast, and maintainable
Avoid duplicating mature, battle-tested tooling from HashiCorp and the community
Leverage BEAM/OTP distribution capabilities: The Erlang/OTP distribution system provides robust clustering and monitoring capabilities that often eliminate the need for container orchestration
Embrace BEAM-native deployment patterns: Tools like DeployEx demonstrate that BEAM applications can be effectively deployed and managed using OTP distribution, hot code reloading, and native BEAM supervision trees
Encourage best-of-breed composition: Use Vault Agent Injector, CSI secrets driver, or init containers for Kubernetes; use standard Docker image patterns for configs/tokens

Recommended Patterns

BEAM-Native Deployment (Recommended)

For BEAM applications, consider using DeployEx:

OTP Distribution: Leverage native Erlang distribution for clustering and monitoring
Hot Code Reloading: Deploy updates without downtime using OTP hot upgrades
Native Supervision: Use OTP supervision trees instead of container orchestration
Simplified Operations: Eliminate container complexity while maintaining enterprise features

Kubernetes

Pair VaultX with existing Kubernetes-native solutions:

Vault Agent Injector: Automatically inject secrets into pods
Vault CSI Driver: Mount secrets as volumes
Kubernetes Auth: Authenticate using Kubernetes service accounts
Init Containers: Fetch secrets during pod initialization

Docker

Use standard Docker patterns:

Environment variables: Pass tokens via environment variables
Mounted files: Mount token files from host or volumes
Avoid baking secrets into images: Never include secrets in Docker images
Rotate tokens out-of-band: Let VaultX read them dynamically at runtime

References

Quickstarts

1. Installation

Add to your mix.exs:

def deps do
  [
    {:vaultx, "~> 0.6"}
  ]
end

Optional dependencies:

{:jason, "~> 1.4"} if you're on Elixir < 1.18 or prefer Jason
{:telemetry, "~> 1.3"} for metrics and observability

Run:

mix deps.get

2. Configuration

Set minimal environment variables (dynamic config is resolved each call):

export VAULTX_URL="https://vault.example.com:8200"
export VAULTX_TOKEN="hvs.xxxxx"  # or VAULT_TOKEN
# Optional: select JSON library
# export VAULTX_JSON_LIBRARY="elixir" | "jason"

3. Basic Usage

# Read secrets
{:ok, data} = VaultX.Client.read("secret/data/myapp/config")

# Write secrets
:ok = VaultX.Client.write("secret/data/myapp/config", %{"key" => "value"})

# System operations
{:ok, health} = VaultX.Client.health()
{:ok, seal} = VaultX.Client.seal_status()

Recommendations

Prefer short-lived tokens and narrow policies; enable leases and enforce revocation on incidents
Use KV v2 for versioned data and CAS writes; include /data/ in paths
Enable at least one audit device before production traffic; consider a fallback device
On Kubernetes, combine VaultX with Vault Agent Injector or the CSI driver
Instrument telemetry and logs; redact sensitive data in your own logs as well

Installation and Compatibility

Elixir: ~> 1.18 (uses Elixir's built-in JSON when available; falls back to Jason)
OTP: Standard supported versions for Elixir 1.18
HTTP Stack: Req + Finch for modern, efficient HTTP operations
Philosophy: Stateless, dynamic runtime config, conservative security defaults, excellent DX

Configuration

VaultX.Base.Config resolves settings from environment variables first, then application config, then defaults. Common variables:

VAULTX_URL / VAULT_ADDR: Vault server URL
VAULTX_TOKEN / VAULT_TOKEN: Authentication token
VAULTX_NAMESPACE / VAULT_NAMESPACE: Vault namespace (Enterprise)
Timeouts, retries, TLS options can be tuned via app env or options per call

For detailed configuration options, advanced settings, and examples, see Configuration Guide.

Telemetry

VaultX emits optional telemetry around operations (read/write/list, health, leases, audit). Hook into your metrics/trace stack by attaching handlers.

Contributing

We welcome contributions! Please see CONTRIBUTING.md for details.

License

Licensed under the MIT License. See LICENSE for details.

Next Page → Changelog