Sync HashiCorp Vault secrets into runtime vault bundle

• Purpose: Populate the runtime vault bundle from an external HashiCorp Vault authority for bootstrap, CI, and DR runs. Owner: Platform operations

• Trigger: Before running modules or runner-dispatched workflows that require secrets, or when rotating secrets in HashiCorp Vault.

• Impact: Without this sync (or explicit overrides), modules may fail with missing env vars.

• Severity: P3 Pre-reqs: Reachability to HashiCorp Vault, hyops init hashicorp-vault completed for the env, and ansible-vault installed when the token is cached in the runtime vault bundle.

• Rollback strategy: Overwrite keys via hyops secrets set, or rotate in HashiCorp Vault and re-sync.

---

Context

This runbook deliberately distinguishes:

• HashiCorp Vault = external secret authority
• runtime vault bundle = per-environment encrypted cache at:
• <root>/vault/bootstrap.vault.env

The runtime vault bundle is an execution cache, not the long-term source of truth.

The clean operator flow is:

1. hyops init hashicorp-vault
2. hyops secrets vault-sync
3. optional hyops secrets set|ensure --persist vault

Secret mappings are driven by:

• tools/secrets/hashicorp-vault/map/allowed.csv

Each mapped secret ref may include:

• {env} placeholder
• {scope} placeholder
• optional #FIELD selector

Default resolution assumes a KV v2 engine unless overridden.

---

Preconditions and safety checks

• Confirm Vault address and token source are available:

  echo "$VAULT_ADDR" echo "${VAULT_TOKEN:+set}"

Notes: - after hyops init hashicorp-vault --persist-token, hyops secrets vault-sync can read the token from the runtime vault bundle - shell env still overrides the cached token when both exist

• Confirm the env-scoped Vault init target is ready:

  hyops init status --env dev

• Confirm the vault password provider is ready (workstations):

  hyops vault status-verbose

Notes: - After hyops vault bootstrap, HyOps remembers the provider command at ~/.hybridops/config/vault-password-command. - In a fresh shell, if vault is locked, unlock once:

    hyops vault password >/dev/null

---

Steps

1) Dry-run the sync

• If this is a fresh environment, initialise Vault first:

  VAULT_ADDR=https://vault.example.com \ VAULT_TOKEN=... \ hyops init hashicorp-vault --env dev

• Command:

  VAULT_ADDR=https://vault.example.com \ VAULT_TOKEN=... \ hyops secrets vault-sync --env dev --scope dr --dry-run

• Expected result: a list of env keys that would be synced, with expanded Vault secret refs.

2) Run the sync

• Command:

  VAULT_ADDR=https://vault.example.com \ VAULT_TOKEN=... \ hyops secrets vault-sync --env dev --scope dr

• Expected result: synced <N> keys into <root>/vault/bootstrap.vault.env.

3) Optional: use the same source during runner dispatch

• Command:

  VAULT_ADDR=https://vault.example.com \ VAULT_TOKEN=... \ hyops runner blueprint preflight --env dev \ --runner-state-ref platform/linux/ops-runner#gcp_ops_runner_bootstrap \ --secret-source vault \ --secret-scope dr \ --sync-env PATRONI_SUPERUSER_PASSWORD \ --sync-env PATRONI_REPLICATION_PASSWORD \ --sync-env PG_BACKUP_GCS_SA_JSON \ --file "$HOME/.hybridops/envs/dev/config/blueprints/dr-postgresql-ha-failover-gcp.yml"

This refreshes the runtime vault bundle from HashiCorp Vault before staging the runner job.

---

Verification

• Confirm the required env keys are present:

  hyops secrets show --env dev \ PATRONI_SUPERUSER_PASSWORD \ PATRONI_REPLICATION_PASSWORD \ PG_BACKUP_GCS_SA_JSON

• Run module or runner preflight and confirm it no longer fails with missing env vars.

---

Troubleshooting

environment variable VAULT_TOKEN is required for Vault auth

• Meaning: the selected token env var is not set in the current shell.

• Remediation:

  export VAULT_TOKEN='...'

failed to fetch Vault secret ...

• Meaning: the secret ref, token policy, namespace, or engine/path resolution is wrong.

• Remediation:

• Confirm the mapped secret ref in tools/secrets/hashicorp-vault/map/allowed.csv
• Confirm the KV engine mode:
  • --vault-engine kv-v2 (default)
  • --vault-engine kv-v1
• Confirm the token policy can read the target path.

failed to read vault file ... unlock GPG in this shell

• Meaning: the runtime vault cache exists but cannot be decrypted in the current shell.

• Remediation:

  hyops vault password >/dev/null

---

References

• Init HashiCorp Vault with hyops init hashicorp-vault
• Generate bootstrap secrets into runtime vault bundle
• Sync Azure Key Vault secrets into runtime vault bundle
• Runner-Local DR Execution Model

---

License: MIT-0 for code, CC-BY-4.0 for documentation