steps:
  - name: fetch-secrets
    image: hashicorp/vault:latest
    environment:
      VAULT_ADDR:
        from_secret: vault_addr
      VAULT_ROLE_ID:
        from_secret: vault_role_id
      VAULT_SECRET_ID:
        from_secret: vault_secret_id
    commands:
      - export VAULT_TOKEN=$(vault write -field=token auth/approle/login role_id=$VAULT_ROLE_ID secret_id=$VAULT_SECRET_ID)
      - vault kv get -format=json projects/test/demo > /tmp/secrets.json
      - python3 -c "import json; d=json.load(open('/tmp/secrets.json'))['data']['data']; f=open('.env.vault','w'); [f.write(f'export {k}={v}\n') for k,v in d.items()]"
      - echo "Fetched secrets:"
      - cat .env.vault

  - name: use-secrets
    image: alpine
    commands:
      - source .env.vault
      - echo "APP_NAME=$APP_NAME"
      - echo "DB_HOST=$DB_HOST"
      - echo "DB_PASS length=$(echo -n $DB_PASS | wc -c) chars"
      - echo "Secrets are available in any step via .env.vault"