The latest articles on DEV Community by Riptides (@riptidesio). https://dev.to/riptidesio https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Forganization%2Fprofile_image%2F12259%2F2e261897-1176-4a13-b559-1a989bd3cefa.jpeg https://dev.to/riptidesio en Riptides Mon, 26 Jan 2026 13:53:54 +0000 https://dev.to/riptidesio/tokenex-adds-vault-openbao-support-exchanging-id-tokens-jwts-for-secrets-without-static-hpa https://dev.to/riptidesio/tokenex-adds-vault-openbao-support-exchanging-id-tokens-jwts-for-secrets-without-static-hpa <h2> Introducing Vault &amp; OpenBao support in <strong><a href="https://github.com/riptideslabs/tokenex" rel="noopener noreferrer">tokenex</a></strong> open source library </h2> <p>Since its first release, <strong><a href="https://github.com/riptideslabs/tokenex" rel="noopener noreferrer">tokenex</a></strong> has focused on <strong>identity-first credential acquisition</strong> exchanging short-lived identity tokens (JWT) for cloud credentials just-in-time, without baking secrets into code, files, or images.</p> <p>Today, we’re extending that model with <strong>native support for HashiCorp Vault and OpenBao as credential providers in <a href="https://github.com/riptideslabs/tokenex" rel="noopener noreferrer">tokenex</a></strong> beyond cloud IAM.</p> <p>With this new capability, <strong><a href="https://github.com/riptideslabs/tokenex" rel="noopener noreferrer">tokenex</a></strong> can exchange <strong>ID tokens (JWTs)</strong> for secrets stored in <strong>Vault or OpenBao</strong>, using their built-in <strong>JWT authentication</strong> flows; no static Vault tokens, no long-lived credentials, and no manual secret distribution.</p> <p>This addition makes Vault and OpenBao <strong>first-class participants in tokenex’s identity-driven workflow</strong>, allowing applications to retrieve both:</p> <ul> <li>cloud-native credentials (AWS, GCP, Azure, OCI), and</li> <li>infrastructure or application secrets (databases, APIs, internal services)</li> </ul> <p>using the <strong>same identity-based access pattern</strong>.</p> <p>In the next section, we’ll explain <strong>why this integration matters</strong>, how it complements tokenex’s existing capabilities, and what it unlocks for teams building secure, scalable systems.</p> <h2> Why we built this feature </h2> <p><strong><a href="https://github.com/riptideslabs/tokenex" rel="noopener noreferrer">tokenex</a></strong> was originally created to provide a <strong>unified, consistent interface for obtaining and refreshing cloud credentials</strong> across multiple providers including <strong>AWS, GCP, Azure, and OCI — by exchanging identity tokens for temporary credentials</strong> and streaming those credentials over a channel so applications never have to implement bespoke refresh logic themselves.</p> <p>It already supports:</p> <ul> <li> <strong>AWS</strong>: Exchanging ID tokens for temporary session credentials via Workload Identity Federation </li> <li> <strong>GCP</strong>: Exchanging ID tokens for access tokens via federated identity </li> <li> <strong>Azure</strong>: Exchanging ID tokens for access tokens using OAuth and Entra ID </li> <li> <strong>OCI</strong>: Exchanging ID tokens for User Principal Session Tokens (UPST) </li> <li> <strong>Generic token passthrough</strong> and Kubernetes secret watching for flexible integrations </li> </ul> <p>This model enables developers to write <strong>single credential consumption logic</strong>, regardless of provider, while <strong><a href="https://github.com/riptideslabs/tokenex" rel="noopener noreferrer">tokenex</a></strong> handles:</p> <ul> <li>Identity token exchange</li> <li>Credential refresh and rotation</li> <li>Streaming updates to applications</li> </ul> <p>While this already removed much of the complexity around cloud authentication, there was still a clear gap: <strong>enterprise secrets management</strong>.</p> <p>Many real‑world systems don’t only need cloud API credentials. They also rely on <strong>database credentials, API keys, and other sensitive configuration</strong>, which are typically managed by platforms like <strong>HashiCorp Vault</strong> or <strong>OpenBao</strong>. These systems excel at issuing <strong>dynamic, short‑lived secrets</strong>, enforcing least privilege, and providing strong auditability, but consuming those secrets safely still requires glue code and identity plumbing.</p> <p>By adding <strong>Vault/OpenBao as a first‑class credentials provider</strong>, <strong><a href="https://github.com/riptideslabs/tokenex" rel="noopener noreferrer">tokenex</a></strong> now allows workloads to:</p> <ul> <li>Exchange a <strong>JWT (ID token)</strong> for secrets using <strong>Vault/OpenBao JWT authentication</strong> </li> <li>Retrieve <strong>static or dynamic secrets</strong> (for example, database credentials) without embedding Vault‑specific logic</li> </ul> <p>With this addition, <strong><a href="https://github.com/riptideslabs/tokenex" rel="noopener noreferrer">tokenex</a></strong> evolves from a cloud‑credential helper into a <strong>general identity‑to‑secret exchange layer</strong>. Applications authenticate once using identity, and <strong><a href="https://github.com/riptideslabs/tokenex" rel="noopener noreferrer">tokenex</a></strong> handles the rest, regardless of whether the target is a cloud API or a centralized secrets manager.</p> <p>This feature is a natural extension of tokenex’s core philosophy:<br><br> <strong>minimize credential handling in applications, centralize trust in identity, and let platforms issue short‑lived secrets on demand.</strong></p> <h2> Demo: Using <a href="https://github.com/riptideslabs/tokenex" rel="noopener noreferrer">tokenex</a> with OpenBao to publish PostgreSQL credentials </h2> <h3> 1. Deploy OpenBao and PostgreSQL </h3> <p>In this step, we deploy <strong>OpenBao</strong> and <strong>PostgreSQL</strong> as containers using <strong>Docker Compose</strong>.</p> <p><strong>OpenBao configuration</strong></p> <p>Create a file named <code>vault.hcl</code> with the following contents:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">ui</span> <span class="err">=</span> <span class="kc">true</span> <span class="nx">storage</span> <span class="s2">"file"</span> <span class="p">{</span> <span class="nx">path</span> <span class="p">=</span> <span class="s2">"/vault/data"</span> <span class="p">}</span> <span class="nx">listener</span> <span class="s2">"tcp"</span> <span class="p">{</span> <span class="nx">address</span> <span class="p">=</span> <span class="s2">"0.0.0.0:8200"</span> <span class="nx">tls_disable</span> <span class="p">=</span> <span class="mi">1</span> <span class="p">}</span> <span class="nx">api_addr</span> <span class="err">=</span> <span class="s2">"http://127.0.0.1:8200"</span> <span class="nx">cluster_addr</span> <span class="err">=</span> <span class="s2">"http://127.0.0.1:8201"</span> <span class="nx">plugin_auto_register</span> <span class="err">=</span> <span class="kc">true</span> <span class="nx">plugin_auto_download</span> <span class="err">=</span> <span class="kc">true</span> <span class="nx">plugin_download_behavior</span> <span class="err">=</span> <span class="s2">"fail"</span> <span class="nx">plugin_directory</span> <span class="err">=</span> <span class="s2">"/opt/openbao/plugins"</span> </code></pre> </div> <blockquote> <p><strong>Note</strong>:<br> For simplicity, TLS is disabled and file-based storage is used.<br> This configuration is suitable for demos and local development only.</p> </blockquote> <p><strong>Docker Compose setup</strong><br> Create a <code>docker-compose.yml</code> file:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">services</span><span class="pi">:</span> <span class="na">openbao</span><span class="pi">:</span> <span class="na">restart</span><span class="pi">:</span> <span class="s">unless-stopped</span> <span class="na">image</span><span class="pi">:</span> <span class="s">openbao/openbao:2.4</span> <span class="na">container_name</span><span class="pi">:</span> <span class="s">openbao</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">8200:8200"</span> <span class="na">cap_add</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">IPC_LOCK</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">./vault.hcl:/vault/config/vault.hcl:ro</span> <span class="pi">-</span> <span class="s">vault-data:/vault/data</span> <span class="na">environment</span><span class="pi">:</span> <span class="na">VAULT_ADDR</span><span class="pi">:</span> <span class="s2">"</span><span class="s">http://127.0.0.1:8200"</span> <span class="na">command</span><span class="pi">:</span> <span class="s">vault server -log-level=debug -config=/vault/config/vault.hcl</span> <span class="na">postgres</span><span class="pi">:</span> <span class="na">image</span><span class="pi">:</span> <span class="s">postgres:18</span> <span class="na">container_name</span><span class="pi">:</span> <span class="s">postgres</span> <span class="na">restart</span><span class="pi">:</span> <span class="s">unless-stopped</span> <span class="na">shm_size</span><span class="pi">:</span> <span class="s">128mb</span> <span class="na">environment</span><span class="pi">:</span> <span class="na">POSTGRES_USER</span><span class="pi">:</span> <span class="s">postgres</span> <span class="na">POSTGRES_PASSWORD</span><span class="pi">:</span> <span class="s">mysecretpassword</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">5432:5432"</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">pg-data:/var/lib/postgresql</span> <span class="na">volumes</span><span class="pi">:</span> <span class="na">vault-data</span><span class="pi">:</span> <span class="na">pg-data</span><span class="pi">:</span> </code></pre> </div> <h3> 2. Initialize and unseal OpenBAO </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker <span class="nb">exec </span>openbao bao operator init <span class="nt">-format</span><span class="o">=</span>json <span class="o">&gt;</span> vault-init.json docker <span class="nb">exec </span>openbao bao operator unseal <span class="si">$(</span>jq <span class="nt">-r</span> <span class="s1">'.unseal_keys_b64[0]'</span> vault-init.json<span class="si">)</span> docker <span class="nb">exec </span>openbao bao operator unseal <span class="si">$(</span>jq <span class="nt">-r</span> <span class="s1">'.unseal_keys_b64[1]'</span> vault-init.json<span class="si">)</span> docker <span class="nb">exec </span>openbao bao operator unseal <span class="si">$(</span>jq <span class="nt">-r</span> <span class="s1">'.unseal_keys_b64[2]'</span> vault-init.json<span class="si">)</span> </code></pre> </div> <h3> 3. Configure JWT authentication in OpenBao </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Enable JWT authentication method</span> docker <span class="nb">exec</span> <span class="nt">-e</span> <span class="nv">VAULT_TOKEN</span><span class="o">=</span><span class="si">$(</span>jq <span class="nt">-r</span> <span class="s1">'.root_token'</span> vault-init.json<span class="si">)</span> <span class="se">\</span> openbao bao auth <span class="nb">enable </span>jwt </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Configure the JWT authentication method</span> docker <span class="nb">exec</span> <span class="nt">-e</span> <span class="nv">VAULT_TOKEN</span><span class="o">=</span><span class="si">$(</span>jq <span class="nt">-r</span> <span class="s1">'.root_token'</span> vault-init.json<span class="si">)</span> <span class="se">\</span> openbao bao write auth/jwt/config <span class="se">\</span> <span class="nv">bound_issuer</span><span class="o">=</span><span class="s2">"&lt;OIDC_ISSUER_URL&gt;"</span> <span class="se">\</span> <span class="nv">oidc_discovery_url</span><span class="o">=</span><span class="s2">"&lt;OIDC_DISCOVERY_URL&gt;"</span> <span class="se">\</span> <span class="nv">oidc_client_id</span><span class="o">=</span><span class="s2">""</span> <span class="se">\</span> <span class="nv">oidc_client_secret</span><span class="o">=</span><span class="s2">""</span> </code></pre> </div> <ul> <li> <code>bound_issuer</code>: <code>&lt;OIDC_ISSUER_URL&gt;</code> – Issuer URL of your OIDC provider</li> <li> <code>oidc_discovery_url</code>: <code>&lt;OIDC_DISCOVERY_URL&gt;</code> – URL for OIDC metadata discovery (keys, endpoints) </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Create a named role 'secret-reader' that authorizes JWTs with specific subject and audience claims</span> <span class="c"># Assign the 'read-secrets' policy to this role</span> docker <span class="nb">exec</span> <span class="nt">-e</span> <span class="nv">VAULT_TOKEN</span><span class="o">=</span><span class="si">$(</span>jq <span class="nt">-r</span> <span class="s1">'.root_token'</span> vault-init.json<span class="si">)</span> openbao <span class="se">\</span> bao write auth/jwt/role/secret-reader <span class="se">\</span> <span class="nv">user_claim</span><span class="o">=</span><span class="s2">"sub"</span> <span class="se">\</span> <span class="nv">bound_audiences</span><span class="o">=</span><span class="s2">"&lt;JWT_AUDIENCE&gt;"</span> <span class="se">\</span> <span class="nv">bound_subject</span><span class="o">=</span><span class="s2">"&lt;JWT_SUB_CLAIM&gt;"</span> <span class="se">\</span> <span class="nv">token_policies</span><span class="o">=</span><span class="s2">"read-secrets"</span> <span class="se">\</span> <span class="nv">token_type</span><span class="o">=</span><span class="s2">"service"</span> <span class="se">\</span> <span class="nv">expiration_leeway</span><span class="o">=</span>150 <span class="se">\</span> <span class="nv">not_before_leeway</span><span class="o">=</span>150 <span class="se">\</span> <span class="nv">role_type</span><span class="o">=</span><span class="s2">"jwt"</span> </code></pre> </div> <ul> <li> <code>bound_audiences</code>: <code>&lt;JWT_AUDIENCE&gt;</code> – Expected <code>aud</code> claim in JWT tokens</li> <li> <code>bound_subject</code>: <code>&lt;JWT_SUB_CLAIM&gt;</code> – Expected <code>sub</code> claim in JWT tokens </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Create the 'read-secrets' policy</span> <span class="c"># Grants read access to the 'pg-dyn-dbuser' dynamic DB credential and the 'pg-dbuser1' static DB credential</span> docker <span class="nb">exec</span> <span class="nt">-i</span> <span class="nt">-e</span> <span class="nv">VAULT_TOKEN</span><span class="o">=</span><span class="si">$(</span>jq <span class="nt">-r</span> <span class="s1">'.root_token'</span> vault-init.json<span class="si">)</span> openbao <span class="se">\</span> bao policy write read-secrets -<span class="o">&lt;&lt;</span><span class="no">EOF</span><span class="sh"> path "database/creds/pg-dyn-dbuser" { capabilities = ["read"] } path "database/static-creds/pg-dbuser1" { capabilities = ["read"] } </span><span class="no">EOF </span></code></pre> </div> <h3> 4. Configure database secrets engine </h3> <p>In this step, we enable the <strong>database secrets engine</strong> in OpenBAO and configure it to manage credentials for PostgreSQL, both dynamic (temporary) and static users.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Enable database secrets engine</span> docker <span class="nb">exec</span> <span class="nt">-e</span> <span class="nv">VAULT_TOKEN</span><span class="o">=</span><span class="si">$(</span>jq <span class="nt">-r</span> <span class="s1">'.root_token'</span> vault-init.json<span class="si">)</span> openbao <span class="se">\</span> bao secrets <span class="nb">enable </span>database </code></pre> </div> <p><strong>Configure the connection to PostgreSQL</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Configure connection to PostgreSQL</span> docker <span class="nb">exec</span> <span class="nt">-e</span> <span class="nv">VAULT_TOKEN</span><span class="o">=</span><span class="si">$(</span>jq <span class="nt">-r</span> <span class="s1">'.root_token'</span> vault-init.json<span class="si">)</span> openbao <span class="se">\</span> bao write database/config/my-postgresql-database <span class="se">\</span> <span class="nv">plugin_name</span><span class="o">=</span><span class="s2">"postgresql-database-plugin"</span> <span class="se">\</span> <span class="nv">allowed_roles</span><span class="o">=</span><span class="s2">"pg-dyn-dbuser, pg-dbuser1"</span> <span class="se">\</span> <span class="nv">connection_url</span><span class="o">=</span><span class="s2">"postgresql://{{username}}:{{password}}@postgres:5432"</span> <span class="se">\</span> <span class="nv">username</span><span class="o">=</span><span class="s2">"postgres"</span> <span class="se">\</span> <span class="nv">password</span><span class="o">=</span><span class="s2">"mysecretpassword"</span> </code></pre> </div> <p><strong>Configure a dynamic role for temporary PostgreSQL users</strong><br> Dynamic roles allow OpenBAO to generate short-lived database credentials automatically:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Configure a role that maps a name in OpenBAO to an SQL statement to execute to create the database credential</span> docker <span class="nb">exec</span> <span class="nt">-e</span> <span class="nv">VAULT_TOKEN</span><span class="o">=</span><span class="si">$(</span>jq <span class="nt">-r</span> <span class="s1">'.root_token'</span> vault-init.json<span class="si">)</span> openbao <span class="se">\</span> bao write database/roles/pg-dyn-dbuser <span class="se">\</span> <span class="nv">db_name</span><span class="o">=</span><span class="s2">"my-postgresql-database"</span> <span class="se">\</span> <span class="nv">creation_statements</span><span class="o">=</span><span class="s2">"CREATE ROLE </span><span class="se">\"</span><span class="s2">{{name}}</span><span class="se">\"</span><span class="s2"> WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; </span><span class="se">\</span><span class="s2"> GRANT SELECT ON ALL TABLES IN SCHEMA public TO </span><span class="se">\"</span><span class="s2">{{name}}</span><span class="se">\"</span><span class="s2">;"</span> <span class="se">\</span> <span class="nv">default_ttl</span><span class="o">=</span><span class="s2">"1h"</span> <span class="se">\</span> <span class="nv">max_ttl</span><span class="o">=</span><span class="s2">"24h"</span> </code></pre> </div> <ul> <li> <strong>Note</strong> that <code>{{name}}</code>, <code>{{password}}</code>, and <code>{{expiration}}</code> are dynamically populated by OpenBAO.</li> </ul> <p><strong>Create a static PostgreSQL user</strong><br> This user will be referenced by a static role in OpenBAO.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Create a database user named 'dbuser1' in the PostgreSQL</span> docker <span class="nb">exec</span> <span class="nt">-e</span> <span class="nv">PGPASSWORD</span><span class="o">=</span>mysecretpassword postgres psql <span class="nt">-U</span> postgres <span class="nt">-c</span> <span class="s2">"CREATE USER </span><span class="se">\"</span><span class="s2">dbuser1</span><span class="se">\"</span><span class="s2"> WITH PASSWORD 'pwd1'; GRANT SELECT ON ALL TABLES IN SCHEMA public TO </span><span class="se">\"</span><span class="s2">dbuser1</span><span class="se">\"</span><span class="s2">;"</span> </code></pre> </div> <p><strong>Configure a static role in OpenBAO</strong><br> Static roles allow OpenBAO to manage existing database users without creating new ones:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Configure a static role that creates a link to a user named 'dbuser1' in the PostgreSQL database</span> docker <span class="nb">exec</span> <span class="nt">-e</span> <span class="nv">VAULT_TOKEN</span><span class="o">=</span><span class="si">$(</span>jq <span class="nt">-r</span> <span class="s1">'.root_token'</span> vault-init.json<span class="si">)</span> openbao <span class="se">\</span> bao write database/static-roles/pg-dbuser1 <span class="se">\</span> <span class="nv">db_name</span><span class="o">=</span><span class="s2">"my-postgresql-database"</span> <span class="se">\</span> <span class="nv">username</span><span class="o">=</span><span class="s2">"dbuser1"</span> <span class="se">\</span> <span class="nv">rotation_period</span><span class="o">=</span><span class="s2">"1d"</span> </code></pre> </div> <ul> <li> <strong>Note</strong> - <code>pg-dbuser1</code> maps to the existing PostgreSQL user <code>dbuser1</code> and <code>rotation_period</code> defines how often the password of the database user should be rotated</li> </ul> <h3> 5. Demo application </h3> <p>This demo application logs <strong>both dynamic and static database credentials</strong> to stdout as they are issued and refreshed by OpenBAO.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">package</span> <span class="n">main</span> <span class="k">import</span> <span class="p">(</span> <span class="s">"context"</span> <span class="s">"log"</span> <span class="s">"os"</span> <span class="s">"os/signal"</span> <span class="s">"sync"</span> <span class="s">"syscall"</span> <span class="s">"emperror.dev/errors"</span> <span class="s">"github.com/go-logr/logr"</span> <span class="s">"github.com/iand/logfmtr"</span> <span class="s">"go.riptides.io/tokenex/pkg/credential"</span> <span class="s">"go.riptides.io/tokenex/pkg/token"</span> <span class="s">"go.riptides.io/tokenex/pkg/vault"</span> <span class="p">)</span> <span class="k">func</span> <span class="n">main</span><span class="p">()</span> <span class="p">{</span> <span class="c">// Create a cancellable context</span> <span class="n">ctx</span><span class="p">,</span> <span class="n">cancel</span> <span class="o">:=</span> <span class="n">context</span><span class="o">.</span><span class="n">WithCancel</span><span class="p">(</span><span class="n">context</span><span class="o">.</span><span class="n">Background</span><span class="p">())</span> <span class="k">defer</span> <span class="n">cancel</span><span class="p">()</span> <span class="c">// Create a logger</span> <span class="n">opts</span> <span class="o">:=</span> <span class="n">logfmtr</span><span class="o">.</span><span class="n">DefaultOptions</span><span class="p">()</span> <span class="n">opts</span><span class="o">.</span><span class="n">Humanize</span> <span class="o">=</span> <span class="no">true</span> <span class="n">opts</span><span class="o">.</span><span class="n">Colorize</span> <span class="o">=</span> <span class="no">true</span> <span class="n">opts</span><span class="o">.</span><span class="n">AddCaller</span> <span class="o">=</span> <span class="no">true</span> <span class="n">opts</span><span class="o">.</span><span class="n">CallerSkip</span> <span class="o">=</span> <span class="m">2</span> <span class="n">logger</span> <span class="o">:=</span> <span class="n">logfmtr</span><span class="o">.</span><span class="n">NewWithOptions</span><span class="p">(</span><span class="n">opts</span><span class="p">)</span> <span class="n">logfmtr</span><span class="o">.</span><span class="n">SetVerbosity</span><span class="p">(</span><span class="m">2</span><span class="p">)</span> <span class="c">// Create a wait group to track goroutines</span> <span class="k">var</span> <span class="n">wg</span> <span class="n">sync</span><span class="o">.</span><span class="n">WaitGroup</span> <span class="c">// Set up graceful shutdown</span> <span class="n">signalChan</span> <span class="o">:=</span> <span class="nb">make</span><span class="p">(</span><span class="k">chan</span> <span class="n">os</span><span class="o">.</span><span class="n">Signal</span><span class="p">,</span> <span class="m">1</span><span class="p">)</span> <span class="n">signal</span><span class="o">.</span><span class="n">Notify</span><span class="p">(</span><span class="n">signalChan</span><span class="p">,</span> <span class="n">syscall</span><span class="o">.</span><span class="n">SIGINT</span><span class="p">,</span> <span class="n">syscall</span><span class="o">.</span><span class="n">SIGTERM</span><span class="p">)</span> <span class="n">logger</span><span class="o">.</span><span class="n">Info</span><span class="p">(</span><span class="s">"Press Ctrl+C to stop..."</span><span class="p">)</span> <span class="k">go</span> <span class="k">func</span><span class="p">()</span> <span class="p">{</span> <span class="n">sig</span> <span class="o">:=</span> <span class="o">&lt;-</span><span class="n">signalChan</span> <span class="n">logger</span><span class="o">.</span><span class="n">Info</span><span class="p">(</span><span class="s">"Received signal, shutting down..."</span><span class="p">,</span> <span class="s">"sig"</span><span class="p">,</span> <span class="n">sig</span><span class="p">)</span> <span class="n">cancel</span><span class="p">()</span> <span class="p">}()</span> <span class="c">// Create an identity token provider</span> <span class="c">// under the hood the credential provider uses OCI workload identity federation to fetch user principal session tokens from OCI</span> <span class="c">// the credential provider exchanges an input ID token for an OCI user principal session token</span> <span class="c">// the input ID token can be obtained from any OIDC compliant IDP (e.g. Google, Microsoft, Auth0, Okta, etc.)</span> <span class="c">// for this example, we use a static ID token provider that returns a hardcoded ID token issued by an OIDC compliant IDP</span> <span class="c">// in a real application, you would implement the `token.IdentityTokenProvider` interface to create a dynamic ID token provider that fetches the ID token from an OIDC compliant IDP</span> <span class="n">idTokenProvider</span> <span class="o">:=</span> <span class="n">token</span><span class="o">.</span><span class="n">NewStaticIdentityTokenProvider</span><span class="p">(</span><span class="s">"&lt;id-token-issued-by-idp&gt;"</span><span class="p">)</span> <span class="c">// Create the Vault credentials provider</span> <span class="n">vaultProvider</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">vault</span><span class="o">.</span><span class="n">NewCredentialsProvider</span><span class="p">(</span><span class="n">ctx</span><span class="p">,</span> <span class="n">logger</span><span class="p">,</span> <span class="s">"http://localhost:8200"</span><span class="p">,</span> <span class="no">nil</span><span class="p">)</span> <span class="k">if</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="n">logger</span><span class="o">.</span><span class="n">Error</span><span class="p">(</span><span class="n">err</span><span class="p">,</span> <span class="s">"Failed to create Vault credentials provider"</span><span class="p">)</span> <span class="p">}</span> <span class="n">dynDBCredsChan</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">vaultProvider</span><span class="o">.</span><span class="n">GetCredentials</span><span class="p">(</span> <span class="n">ctx</span><span class="p">,</span> <span class="n">idTokenProvider</span><span class="p">,</span> <span class="n">vault</span><span class="o">.</span><span class="n">WithJWTAuthMethodPath</span><span class="p">(</span><span class="s">"jwt"</span><span class="p">),</span> <span class="n">vault</span><span class="o">.</span><span class="n">WithJWTAuthRoleName</span><span class="p">(</span><span class="s">"secret-reader"</span><span class="p">),</span> <span class="n">vault</span><span class="o">.</span><span class="n">WithSecretFullPath</span><span class="p">(</span><span class="s">"database/creds/pg-dyn-dbuser"</span><span class="p">),</span> <span class="p">)</span> <span class="k">if</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="n">logger</span><span class="o">.</span><span class="n">Error</span><span class="p">(</span><span class="n">err</span><span class="p">,</span> <span class="s">"Failed to get dynamic database credentials"</span><span class="p">)</span> <span class="p">}</span> <span class="c">// Process dynamic database credentials</span> <span class="n">wg</span><span class="o">.</span><span class="n">Add</span><span class="p">(</span><span class="m">1</span><span class="p">)</span> <span class="n">credentialsConsumer</span><span class="p">(</span><span class="n">logr</span><span class="o">.</span><span class="n">NewContext</span><span class="p">(</span><span class="n">ctx</span><span class="p">,</span> <span class="n">logger</span><span class="o">.</span><span class="n">WithValues</span><span class="p">(</span><span class="s">"secret_engine"</span><span class="p">,</span> <span class="s">"database"</span><span class="p">,</span> <span class="s">"credential_type"</span><span class="p">,</span> <span class="s">"dynamic"</span><span class="p">,</span> <span class="s">"secret_path"</span><span class="p">,</span> <span class="s">"/creds/pg-dyn-dbuser"</span><span class="p">)),</span> <span class="o">&amp;</span><span class="n">wg</span><span class="p">,</span> <span class="n">dynDBCredsChan</span><span class="p">,</span> <span class="n">logDBCreds</span><span class="p">)</span> <span class="n">staticDBCredsChan</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">vaultProvider</span><span class="o">.</span><span class="n">GetCredentials</span><span class="p">(</span> <span class="n">ctx</span><span class="p">,</span> <span class="n">idTokenProvider</span><span class="p">,</span> <span class="n">vault</span><span class="o">.</span><span class="n">WithJWTAuthMethodPath</span><span class="p">(</span><span class="s">"jwt"</span><span class="p">),</span> <span class="n">vault</span><span class="o">.</span><span class="n">WithJWTAuthRoleName</span><span class="p">(</span><span class="s">"secret-reader"</span><span class="p">),</span> <span class="n">vault</span><span class="o">.</span><span class="n">WithSecretFullPath</span><span class="p">(</span><span class="s">"database/static-creds/pg-dbuser1"</span><span class="p">),</span> <span class="p">)</span> <span class="k">if</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="n">logger</span><span class="o">.</span><span class="n">Error</span><span class="p">(</span><span class="n">err</span><span class="p">,</span> <span class="s">"Failed to get static database credentials"</span><span class="p">)</span> <span class="p">}</span> <span class="c">// Process static database credentials</span> <span class="n">wg</span><span class="o">.</span><span class="n">Add</span><span class="p">(</span><span class="m">1</span><span class="p">)</span> <span class="n">credentialsConsumer</span><span class="p">(</span><span class="n">logr</span><span class="o">.</span><span class="n">NewContext</span><span class="p">(</span><span class="n">ctx</span><span class="p">,</span> <span class="n">logger</span><span class="o">.</span><span class="n">WithValues</span><span class="p">(</span><span class="s">"secret_engine"</span><span class="p">,</span> <span class="s">"database"</span><span class="p">,</span> <span class="s">"credential_type"</span><span class="p">,</span> <span class="s">"static"</span><span class="p">,</span> <span class="s">"secret_path"</span><span class="p">,</span> <span class="s">"/static-creds/pg-dbuser1"</span><span class="p">)),</span> <span class="o">&amp;</span><span class="n">wg</span><span class="p">,</span> <span class="n">staticDBCredsChan</span><span class="p">,</span> <span class="n">logDBCreds</span><span class="p">)</span> <span class="c">// Wait for all goroutines to finish</span> <span class="n">wg</span><span class="o">.</span><span class="n">Wait</span><span class="p">()</span> <span class="p">}</span> <span class="k">func</span> <span class="n">credentialsConsumer</span><span class="p">(</span><span class="n">ctx</span> <span class="n">context</span><span class="o">.</span><span class="n">Context</span><span class="p">,</span> <span class="n">wg</span> <span class="o">*</span><span class="n">sync</span><span class="o">.</span><span class="n">WaitGroup</span><span class="p">,</span> <span class="n">credsChan</span> <span class="o">&lt;-</span><span class="k">chan</span> <span class="n">credential</span><span class="o">.</span><span class="n">Result</span><span class="p">,</span> <span class="n">credsLogger</span> <span class="k">func</span><span class="p">(</span><span class="n">logr</span><span class="o">.</span><span class="n">Logger</span><span class="p">,</span> <span class="o">*</span><span class="n">credential</span><span class="o">.</span><span class="n">VaultSecret</span><span class="p">))</span> <span class="p">{</span> <span class="k">go</span> <span class="k">func</span><span class="p">()</span> <span class="p">{</span> <span class="k">defer</span> <span class="n">wg</span><span class="o">.</span><span class="n">Done</span><span class="p">()</span> <span class="n">logger</span> <span class="o">:=</span> <span class="n">logr</span><span class="o">.</span><span class="n">FromContextOrDiscard</span><span class="p">(</span><span class="n">ctx</span><span class="p">)</span> <span class="k">for</span> <span class="p">{</span> <span class="k">select</span> <span class="p">{</span> <span class="k">case</span> <span class="n">creds</span><span class="p">,</span> <span class="n">ok</span> <span class="o">:=</span> <span class="o">&lt;-</span><span class="n">credsChan</span><span class="o">:</span> <span class="k">if</span> <span class="o">!</span><span class="n">ok</span> <span class="p">{</span> <span class="n">logger</span><span class="o">.</span><span class="n">Info</span><span class="p">(</span><span class="s">"credentials channel closed"</span><span class="p">)</span> <span class="k">return</span> <span class="p">}</span> <span class="k">if</span> <span class="n">creds</span><span class="o">.</span><span class="n">Err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="n">logger</span><span class="o">.</span><span class="n">Error</span><span class="p">(</span><span class="n">creds</span><span class="o">.</span><span class="n">Err</span><span class="p">,</span> <span class="s">"Error receiving credentials"</span><span class="p">,</span> <span class="n">errors</span><span class="o">.</span><span class="n">GetDetails</span><span class="p">(</span><span class="n">creds</span><span class="o">.</span><span class="n">Err</span><span class="p">)</span><span class="o">...</span><span class="p">)</span> <span class="k">return</span> <span class="p">}</span> <span class="n">dbSecret</span><span class="p">,</span> <span class="n">ok</span> <span class="o">:=</span> <span class="n">creds</span><span class="o">.</span><span class="n">Credential</span><span class="o">.</span><span class="p">(</span><span class="o">*</span><span class="n">credential</span><span class="o">.</span><span class="n">VaultSecret</span><span class="p">)</span> <span class="k">if</span> <span class="o">!</span><span class="n">ok</span> <span class="p">{</span> <span class="n">logger</span><span class="o">.</span><span class="n">Error</span><span class="p">(</span><span class="n">errors</span><span class="o">.</span><span class="n">New</span><span class="p">(</span><span class="s">"invalid credential type"</span><span class="p">),</span> <span class="s">"expected *credential.VaultSecret"</span><span class="p">)</span> <span class="k">return</span> <span class="p">}</span> <span class="n">credsLogger</span><span class="p">(</span><span class="n">logger</span><span class="p">,</span> <span class="n">dbSecret</span><span class="p">)</span> <span class="k">case</span> <span class="o">&lt;-</span><span class="n">ctx</span><span class="o">.</span><span class="n">Done</span><span class="p">()</span><span class="o">:</span> <span class="n">log</span><span class="o">.</span><span class="n">Println</span><span class="p">(</span><span class="s">"Context cancelled, shutting down credentials handler"</span><span class="p">)</span> <span class="k">return</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}()</span> <span class="p">}</span> <span class="k">func</span> <span class="n">logDBCreds</span><span class="p">(</span><span class="n">logger</span> <span class="n">logr</span><span class="o">.</span><span class="n">Logger</span><span class="p">,</span> <span class="n">dbSecret</span> <span class="o">*</span><span class="n">credential</span><span class="o">.</span><span class="n">VaultSecret</span><span class="p">)</span> <span class="p">{</span> <span class="c">// Database secrets typically contain username and password</span> <span class="n">username</span> <span class="o">:=</span> <span class="n">dbSecret</span><span class="o">.</span><span class="n">Data</span><span class="p">[</span><span class="s">"username"</span><span class="p">]</span><span class="o">.</span><span class="p">(</span><span class="kt">string</span><span class="p">)</span> <span class="n">password</span> <span class="o">:=</span> <span class="n">dbSecret</span><span class="o">.</span><span class="n">Data</span><span class="p">[</span><span class="s">"password"</span><span class="p">]</span><span class="o">.</span><span class="p">(</span><span class="kt">string</span><span class="p">)</span> <span class="n">logger</span><span class="o">.</span><span class="n">Info</span><span class="p">(</span><span class="s">"credential"</span><span class="p">,</span> <span class="s">"username"</span><span class="p">,</span> <span class="n">username</span><span class="p">,</span> <span class="s">"password"</span><span class="p">,</span> <span class="n">password</span><span class="p">)</span> <span class="p">}</span> </code></pre> </div> <p><strong>Sample output</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>0 info | 11:00:29.398131 | Press Ctrl+C to stop... <span class="nb">caller</span><span class="o">=</span>main.go:41 0 info | 11:00:29.428805 | credential <span class="nb">caller</span><span class="o">=</span>main.go:220 <span class="nv">secret_engine</span><span class="o">=</span>database <span class="nv">credential_type</span><span class="o">=</span>static <span class="nv">secret_path</span><span class="o">=</span>/static-creds/pg-dbuser1 <span class="nv">username</span><span class="o">=</span>dbuser1 <span class="nv">password</span><span class="o">=</span>Qj-6l6OWghtonpucH6Vd 2 info | 11:00:29.428858 | Published Vault secret <span class="nv">logger</span><span class="o">=</span>vault_credentials <span class="nb">caller</span><span class="o">=</span>creds.go:245 <span class="nv">secret_path</span><span class="o">=</span>database/static-creds/pg-dbuser1 <span class="nv">expiresAt</span><span class="o">=</span><span class="s2">"2026-01-15 13:51:17.428782 +0100 CET m=+6648.032605334"</span> 2 info | 11:00:29.428879 | Using RefreshOn <span class="nb">time </span>from credentials <span class="nv">logger</span><span class="o">=</span>vault_credentials <span class="nb">caller</span><span class="o">=</span>creds.go:252 <span class="nv">refreshOn</span><span class="o">=</span><span class="s2">"2026-01-15 13:51:22.428782 +0100 CET m=+6653.032605334"</span> 1 info | 11:00:29.428885 | Scheduling credential refresh <span class="nv">logger</span><span class="o">=</span>vault_credentials <span class="nb">caller</span><span class="o">=</span>creds.go:260 <span class="nv">refreshIn</span><span class="o">=</span>1h50m52.999899041s <span class="nv">refreshBuffer</span><span class="o">=</span>0s <span class="nv">secret_path</span><span class="o">=</span>database/static-creds/pg-dbuser1 2 info | 11:00:29.446979 | Published Vault secret <span class="nv">logger</span><span class="o">=</span>vault_credentials <span class="nb">caller</span><span class="o">=</span>creds.go:245 <span class="nv">secret_path</span><span class="o">=</span>database/creds/pg-dyn-dbuser <span class="nv">expiresAt</span><span class="o">=</span><span class="s2">"2026-01-15 12:15:29.446969 +0100 CET m=+900.050791918"</span> 0 info | 11:00:29.446989 | credential <span class="nb">caller</span><span class="o">=</span>main.go:220 <span class="nv">secret_engine</span><span class="o">=</span>database <span class="nv">credential_type</span><span class="o">=</span>dynamic <span class="nv">secret_path</span><span class="o">=</span>/creds/pg-dyn-dbuser <span class="nv">username</span><span class="o">=</span>v-jwt-ript-pg-dyn-d-QKRDQydUME1zlQtgdyY6-1768474829 <span class="nv">password</span><span class="o">=</span>t7gZd5h-7BwZr2lB0iFO 1 info | 11:00:29.447002 | Scheduling credential refresh <span class="nv">logger</span><span class="o">=</span>vault_credentials <span class="nb">caller</span><span class="o">=</span>creds.go:260 <span class="nv">refreshIn</span><span class="o">=</span>11m57.937258345s <span class="nv">refreshBuffer</span><span class="o">=</span>3m2.06274128s <span class="nv">secret_path</span><span class="o">=</span>database/creds/pg-dyn-dbuser </code></pre> </div> <p><strong>What we see in the output</strong>:</p> <ul> <li>For the <strong>static PostgreSQL user</strong> <code>dbuser1</code>, the password is managed and rotated by the OpenBAO database secrets engine. The user was originally created with the password <code>pwd1</code>. OpenBAO rotates this password <strong>only when the rotation time is reached</strong>, at <code>expiresAt="2026-01-15 13:51:17.428782 +0100 CET"</code>. </li> </ul> <p>Because this is a static role, <strong><a href="https://github.com/riptideslabs/tokenex" rel="noopener noreferrer">tokenex</a> cannot retrieve a new password before the rotation occurs</strong>. It must wait until OpenBAO performs the rotation.<br><br> Once the password has been rotated, Tokenex re-fetches and publishes the updated credentials shortly after, at <code>refreshOn="2026-01-15 13:51:22.428782 +0100 CET"</code>.</p> <ul> <li>For the <strong>dynamic PostgreSQL user</strong> <code>v-jwt-ript-pg-dyn-d-QKRDQydUME1zlQtgdyY6-1768474829</code>, OpenBAO creates a brand-new database user with a unique password. This credential is short-lived and expires in approximately 15 minutes. </li> </ul> <p>Unlike static credentials, <strong><a href="https://github.com/riptideslabs/tokenex" rel="noopener noreferrer">tokenex</a> can proactively request a new dynamic credential before the current one expires</strong>.<br><br> In this example, a refresh is scheduled at <code>refreshIn=11m57.937258345s</code> with a <code>refreshBuffer=3m2.06274128s</code>, ensuring continuous access without relying on password rotation.</p> <h2> Example use cases </h2> <h3> 1. Zero-Trust service &amp; database access </h3> <p>Workloads authenticate using a JWT and exchange it for secrets at runtime:</p> <ul> <li>Short-lived database credentials (e.g. PostgreSQL)</li> <li>Service-specific API keys or tokens</li> <li>Automatically rotated by Vault/OpenBao</li> <li>Fully auditable and identity-scoped</li> </ul> <p>No secrets in config files, CI pipelines, or environment variables.<br> No shared credentials between services.</p> <h3> 2. Trusted secret orchestrators </h3> <p>A trusted orchestrator (Kubernetes controller, job runner, workflow engine) can:</p> <ul> <li>Authenticate using its own workload identity</li> <li>Use Tokenex to fetch secrets on behalf of workloads</li> <li>Enforce centralized policy, intent, and approval flows</li> <li>Act as a controlled trust boundary in regulated environments</li> </ul> <h2> Final thoughts </h2> <p>By combining:</p> <ul> <li><strong>Identity-based authentication</strong></li> <li><strong>Centralized secrets management</strong></li> <li><strong>Short-lived credentials</strong></li> <li><strong>Explicit, auditable token exchange</strong></li> </ul> <p>you end up with systems that are:</p> <ul> <li>Easier to reason about </li> <li>Harder to misuse </li> <li>Safer by default </li> </ul> <p><strong><a href="https://github.com/riptideslabs/tokenex" rel="noopener noreferrer">tokenex</a></strong> doesn’t replace Vault or OpenBao — it <strong>connects them seamlessly to modern identity systems</strong>, allowing secrets to be accessed only when and where identity has been verified.</p> <p>If you enjoyed this post, follow us on <a href="https://www.linkedin.com/company/riptidesio/" rel="noopener noreferrer">LinkedIn</a> and <a href="https://x.com/riptidesio" rel="noopener noreferrer">X</a> for more updates.</p> <p>If you’d like to see Riptides in action, <a href="https://riptides.io/request-a-demo" rel="noopener noreferrer">get in touch with us for a demo</a>.</p> security nhi vault opensource