steps:
  - name: fetch-secrets
    image: hashicorp/vault:latest
    environment:
      VAULT_ADDR:
        from_secret: vault_addr
      VAULT_ROLE_ID:
        from_secret: vault_role_id
      VAULT_SECRET_ID:
        from_secret: vault_secret_id
    commands:
      - export VAULT_TOKEN=$(vault write -field=token auth/approle/login role_id=$VAULT_ROLE_ID secret_id=$VAULT_SECRET_ID)
      - vault kv get -format=json projects/test/demo | jq -r '.data.data | to_entries[] | "export \(.key)=\(.value)"' > .env.vault
      - echo "Fetched secrets:"
      - cat .env.vault

  - name: use-secrets
    image: alpine
    commands:
      - source .env.vault
      - echo "APP_NAME=$APP_NAME"
      - echo "DB_HOST=$DB_HOST"
      - echo "DB_PASS length=$(echo -n $DB_PASS | wc -c) chars"
      - echo "Secrets are available in any step via .env.vault"