vault login to store VAULT_ADDR along with ~/.vault-token

[clux]

We have a ton of vaults, and login requires multiplexing between them with shell scripts. These shell scripts cannot easily be shared, or turned into proper utilities because they require you set VAULT_ADDR yourself in your shell.

Ideally, vault login should log you in properly without having to require a VAULT_ADDR set yourself. Like kubectl, or tsh, say. When you login or switch contexts you are done. No further evars are required (unless you want to override).

Describe alternatives you've considered Having a vault login multiplexer script output the export VAULT_ADDR=correct_vault_url for people to source themselves. It's not a nice interface.

[mr-fixit]

instead of setting the global VAULT_ADDR, could your script that calls vault login use the -address ${correct_vault_url}?

[clux]

That works, but AFAIK the address is not stored in a current-context like file anywhere, right?

When using vault read afterwards it fails to remember the address. So that's doesn't really get us any further. We now have to wrap the entire utility with different shell scripts to be able to multiplex between vaults.

[aphorise]

IMO - aside from the parameter setting via -address there's the better approach of inline and prefix assignment such as:

VAULT_ADDR=... VAULT_TOKEN=... vault secrets list - better than storing these to file you can also have them set / unset via environment variables.

What's more you must export VAULT_ADDR='https://...:8200' ; and that is actually the reason why your subsequent vault read fails if for example you're merely doing:

VAULT_ADDR=...:8200
vault read ... 
# // Error due to it defaulting to 127 address as VAULT_ADDR env cant be read.
# VS:
export VAULT_ADDR=...:8200 ;
vault read ... ;
# works fine.

@clux can you kindly state if you've revisited this and if the request may still be relevant for you.