Skip to content

Environment variable injection for child processes #4

New issue
New issue
Open
Open
Environment variable injection for child processes#4
Labels
enhancementNew feature or request
@kobzevvv

Description

@kobzevvv
kobzevvv
opened on Mar 1, 2026

Why: Database clients (PostgreSQL, MySQL, Redis) and cloud SDKs (GCP, AWS) expect credentials as environment variables (DATABASE_URL, GOOGLE_APPLICATION_CREDENTIALS, AWS_SECRET_ACCESS_KEY). Vault currently only handles HTTP-level auth.

Scope:

  • New tool: vault_exec — run a command with secrets injected as env vars
  • Secrets never appear in the agent's context
  • Audit logging for each exec call

Use cases:

  • PostgreSQL: vault_exec("psql", { DB_PASSWORD: "mydb" })
  • GCP SDK: vault_exec("gcloud", { GOOGLE_APPLICATION_CREDENTIALS: "gcp-sa" })
  • Any CLI tool that reads secrets from environment

Priority: High — unlocks databases and cloud SDKs

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or request

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions