Installing Config Sesame

Below you find several different options to install the tool and Hashicorp Vault, and how to connect them.

Installing Into a Python Virtualenv

These commands install config-sesame into its own virtualenv in your home. It can be easily removed again, since most everything is contained within the virtualenv’s directory. Also see Installing Python Software in case your machine lacks Python or tools like virtualenv.


# install "config-sesame" to its own virtualenv
mkdir -p ~/.local/virtualenvs
test -d ~/.local/virtualenvs/config-sesame \
    || virtualenv ~/.local/virtualenvs/config-sesame
~/.local/virtualenvs/config-sesame/bin/pip install -U pip setuptools wheel
~/.local/virtualenvs/config-sesame/bin/pip install -U "$release"
mkdir ~/bin 2>/dev/null && exec $SHELL -l
ln -s ~/.local/virtualenvs/config-sesame/bin/config-sesame ~/bin
config-sesame --version

On Linux, if you want to safely store the credentials to access Vault in your account’s keyring, execute these additional commands:

sudo apt-get install libdbus-glib-1-dev python-dev libffi-dev build-essential
~/.local/virtualenvs/config-sesame/bin/pip install secretstorage dbus-python keyring

See keyring installation for more details on that.

Installing Hashicorp Vault

See Vault’s documentation for detailed instructions. For a simple development / test installation on Ubuntu, this works when called in a root shell:

curl -sLS "${version}/vault_${version}" \
    | funzip >/usr/local/bin/vault
chmod a+x /usr/local/bin/vault
apt-get install supervisor
adduser vault --ingroup daemon --home /var/lib/vault --system --disabled-password
cat >/etc/supervisor/conf.d/vault.conf <<'EOF'
command         = /usr/local/bin/vault server -dev
user            = vault
redirect_stderr = True
autostart       = True
supervisorctl update
supervisorctl tail -2200 vault


As mentioned above, this is intended for experimenting with Vault on your workstation. Do NOT run it this way on anything that is intended for production use.

Providing Credentials for Vault

Make sure your Vault server is up and reachable by using these commands:

export VAULT_ADDR=""
vault status

If the server runs on a remote machine, adapt the VAULT_ADDR accordingly.

Let’s try accessing the server via config-sesame next. First, add the vault root token to your keyring, by calling the config-sesame login command which will prompt you for the token and remember it in a safe place. For the test setup as outlined above, you’ll find that token in the file /var/lib/vault/.vault-token. You can also set the VAULT_TOKEN environment variable or create the ~/.vault-token file (which is not as secure as using the keyring), otherwise you’ll be prompted for the token on the console each time it is needed. Finally call the config-sesame help command, and it should show some information about your running Vault service.

Note that in a production setup, you will have a personal access token, e.g. obtained via LDAP or similar credentials.

Production Deployment

The project contains a debian directory that supports building a self-contained Python virtualenv wrapped into a Debian package (an “omnibus” package, all passengers on board). The packaged virtualenv is kept in sync with the host’s interpreter automatically. See dh-virtualenv for more details. On platforms that are not some Debian flavour, consider using rpmvenv, platter or fpm. The motivation to strongly prefer native packages for deployment can be found in Python Application Deployment with Native Packages.

Note that you need to install the usual Debian development tools and dh-virtualenv (at least version 0.10), before you can actually build the DEB package. These incantations will perform that for you (on Xenial):

sudo apt-get install build-essential debhelper devscripts equivs
sudo mk-build-deps --install debian/control

Jessie only comes with version 0.7 – that might work, otherwise you have to build a newer version from source, or use 0.10 from backports.

Then, if you have all pre-requisites satisfied, try this:

dpkg-buildpackage -uc -us -b

or, if you followed the instructions to create a developer working directory, this instead:

invoke deb

The resulting package, if all went well, can be found in the parent of your project directory for the direct dpkg-buildpackage call, and in dist when you used invoke. You can upload it to a Debian package repository via e.g. dput, see dput-webdav for a hassle-free solution that works with Artifactory and Bintray.