Open QWERTY92009 opened 2 years ago
In that case, would it make more sense to use the hashicorp API directly as a KMS provider?
Sounds good! Could you elaborate on how the vault token is managed (to write the key initially, and to read the key afterward)? Thanks! Update: Never mind. I see you are using the environment variable VAULT_TOKEN.
Description
Our CI pipeline manages all secrets in Hashicorp Vault. Rather than managing the encrypted signing key and its password, we would prefer to manage just the unencrypted key, which will be pulled by the signing agent as needed.