Skip to main content

Vault SSH Host Key Renewal Tool

Project description

Vault SSH Renewal Tool

Build Status PyPI version Download

vault-ssh-renew automates the process of renewing SSH host certificates issued by HashiCorp Vault. It will check whether a certificate is installed on the host, and whether it expires in the near future. Only then will it request Vault to issue a new certificate.

Please note that vault-ssh-renew does not take care of renewing the Vault token itself or of re-configuring your SSH server software to actually present the certificate. Please refer to the Vault documentation on how to achieve this.



pip install vault-ssh-renew

Debian/Ubuntu Packages

On Debian Buster, Ubuntu 18.04, and 20.04, you can install vault-ssh-renew from packages:

sudo apt-key adv --keyserver --recv AF0E925C4504784BF4E0FFF0C90E4BD2B36E75B9
echo "deb $(lsb_release -s -c) main" | sudo tee -a /etc/apt/sources.list.d/vault-ssh-renew.list
sudo apt-get update
sudo apt-get install vault-ssh-renew

The package will also install a daily timer to run vault-ssh-renew. If you are installing interactively, you will also be asked supply all the required configuration parameters, which will be written to /etc/default/vault-ssh-renew and can be edited there.


You may also run the tool using a Docker container:

docker run -ti -v/etc/ssh:/etc/ssh \
    -e VAULT_TOKEN=**** \
    -e VAULT_ADDR= \
    -e VAULT_SSH_SIGN_PATH=ssh/sign/host \

For every release, there also exists a corresponding tag suffixed with .cron (e.g.: :latest.cron) that runs the tools as a periodic cron job.


Configuration can be achieved using the following environment variables.

Variable Data Type Meaning Default
VAULT_ADDR URL Address under which Vault can be reached.
VAULT_TOKEN String Token for authentication against Vault.
VAULT_TOKEN_FILE String The path to read the Vault token from.
VAULT_SSH_HOST_KEY_PATH String The path to the SSH public key. /etc/ssh/
VAULT SSH_HOST_CERT_PATH String The path to the SSH host certificate. /etc/ssh/
VAULT_SSH_SIGN_PATH String The path to the signing endpoint, usually ⟨secret mountpoint⟩/sign/⟨role name⟩.
VAULT_SSH_PRINCIPALS List of Strings A space separated list of principals to request in the certificate Host's FQDN
VAULT_SSH_RENEWAL_THRESHOLD_DAYS Integer When the certificate is valid for less then this many days, renew it. 7

Kubernetes Deployment

The directory kubernetes/ in the source distribution contains a set of resources that can serve as a template to deploy vault-ssh-renew across your Kubernetes cluster. You'll need to:

  • edit secret.yaml to supply your Vault token
  • add the correct Vault address and signing path to configmap.yaml
  • optionally change the version in daemonset.yaml to something other than latest
kubectl apply -f kubernetes/*.yaml

Project details

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

vault-ssh-renew-0.2.0.tar.gz (9.5 kB view hashes)

Uploaded source

Built Distribution

vault_ssh_renew-0.2.0-py3-none-any.whl (9.8 kB view hashes)

Uploaded py3

Supported by

AWS AWS Cloud computing Datadog Datadog Monitoring Facebook / Instagram Facebook / Instagram PSF Sponsor Fastly Fastly CDN Google Google Object Storage and Download Analytics Huawei Huawei PSF Sponsor Microsoft Microsoft PSF Sponsor NVIDIA NVIDIA PSF Sponsor Pingdom Pingdom Monitoring Salesforce Salesforce PSF Sponsor Sentry Sentry Error logging StatusPage StatusPage Status page