vault-recursive-read is a ruby script that will discover all of the subpaths of a given path in vault, then export them to YAML or JSON.
- ruby with bundler
- vault binaries (you should be able to
vault list secret/
from your command line)
Clone this repository to your machine:
git clone https://github.com/BuyerQuest/vault-recursive-read.git
Enter the directory and run bundle install
:
cd vault-recursive-read/
bundle install
Authenticate to your vault server (use what's appropriate for your setup):
export VAULT_ADDR=https://my.vault.server
vault auth -method=ldap username=my.username
Invoke the script (the trailing slash is important):
./vault-recursive-read.rb -p secret/foo/
Paths that have keys with no data in them will be shown as skipped.
Vault entries are written to STDOUT in the specified format, with progress written to STDERR. Redirect the output to a file to save your data:
./vault-recursive-read.rb -p secret/test/ > secrets.yaml
$ git clone https://github.com/BuyerQuest/vault-recursive-read.git
Cloning into 'vault-recursive-read'...
remote: Counting objects: 13, done.
remote: Compressing objects: 100% (9/9), done.
remote: Total 13 (delta 2), reused 10 (delta 2), pack-reused 0
Unpacking objects: 100% (13/13), done.
$ cd vault-recursive-read/
$ bundle install
Fetching gem metadata from https://rubygems.org/................
Resolving dependencies...
Using OptionParser 0.5.1
Using bundler 1.16.0
Using vault 0.10.1
Bundle complete! 2 Gemfile dependencies, 3 gems now installed.
Use `bundle info [gemname]` to see where a bundled gem is installed.
$ export VAULT_ADDR=https://redacted.vault.url
$ vault auth -method=ldap username=fake.username
Successfully authenticated! You are now logged in.
#<snip>
$ ./vault-recursive-read.rb -p secret/test/
Reading secret/test/demo/dir1/dir2/path1
Skipped secret/test/uat/newrelic (no data)
---
secret/test/demo/dir1/dir2/path1:
:key1: val1
Use the --help
switch:
16:27 $ ./vault-recursive-read.rb --help
Recursive read for paths in vault.
Usage: ./vault-recursive-read.rb [options]
-p, --path=PATH Path in vault to read from, with a trailing slash. E.g. secret/foo/
-a, --vault-address=VAULT_ADDR Optional: URL used to access the Vault server. Defaults to the VAULT_ADDR environment variable
-t, --vault-token=VAULT_TOKEN Optional: A vault token. Defaults to VAULT_TOKEN environment variable, or reads ~/.vault-token
-f, --format=FORMAT Optional: Output data format. Supports YAML & JSON. Defaults to YAML
-h, --help Display this help
-v, --version Display the current script version