Skip to content

vietanhduong/vault-converter

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

43 Commits
.github/workflows
.github/workflows
 
 
cmd
cmd
 
 
pkg
pkg
 
 
.gitignore
.gitignore
 
 
.goreleaser.yaml
.goreleaser.yaml
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
go.mod
go.mod
 
 
go.sum
go.sum
 
 
main.go
main.go
 
 

Repository files navigation

Vault Converter

License CI

Support converting Vault Secrets to different formats.

vault-converter is a tool designed to synchronize variables from local to Vault and vice versa.

Supported extensions:

  • tfvars
  • env

vault-converter uses Vault authentication method as userpass with fixed path userpass/. But you still can authenticate with token method by create a file contain client token at "$HOME/.vault-token".

Secret Engine supports Key/Value Version 2 (kv2).

Installation

Binaries (recommended)

Download your preferred asset from the releases page and install manually.

Source code

# clone repo to some directory outside GOPATH
git clone https://github.com/vietanhduong/vault-converter

cd vault-converter

go mod download

go build .

Usage

Currently, vault-converter supports synchronize variables from Vault to local and vice versa.

$ vault-converter --help
Convert to file from Vault. Support multiple file format like '.tfvars', '.env'

Usage:
  vault-converter [flags]
  vault-converter [command]

Available Commands:
  auth        Authenticates users to Vault
  completion  generate the autocompletion script for the specified shell
  help        Help about any command
  pull        Pull secrets from Vault and convert to file
  push        Parse source file and push to Vault

Flags:
  -h, --help      help for vault-converter
  -v, --version   Print version information and exit. This flag is only available at the global level.

Use "vault-converter [command] --help" for more information about a command.

Authenticate

User authentication with Vault

$ vault-converter auth --help
Authenticates users to Vault using the provided arguments. 
Method using: 'userpass'. The path of 'userpass' should be 'userpass/'

Usage:
  vault-converter auth [flags]

Flags:
  -a, --address string    Address of the Vault server. This can also be specified via the VAULT_ADDR environment variable. (default "https://dev-vault.knstats.com")
  -h, --help              help for auth
  -p, --password string   The user's password. This can also be specified via the VAULT_PASSWORD environment variables.
  -u, --username string   The username to authenticate with Vault server. This can also be specified via the VAULT_USER environment variables.

Global Flags:
  -v, --version   Print version information and exit. This flag is only available at the global level.

Sync variables from Vault to local

When you pull variables from Vault to local. vault-convert automatically override the content to the output file. Keep it in mind, if you don't want your variables to disappear.

$ vault-converter pull --help
Pull secrets from Vault with specified secret path and convert to file.
SECRET_PATH should be a absolute path at Vault and the values should be in JSON format.
Supports the following formats: "tfvars"

Usage:
  vault-converter pull SECRET_PATH [flags]

Flags:
  -a, --address string   Address of the Vault server. This can also be specified via the VAULT_ADDR environment variable. (default "https://dev-vault.knstats.com")
  -f, --format string    Output format (default "tfvars")
  -h, --help             help for pull
  -o, --output string    Output path. E.g: ~/data/variables.auto.tfvars (default "variables.auto.tfvars")

Global Flags:
  -v, --version   Print version information and exit. This flag is only available at the global level.

Sync variables from local to Vault

Sync variables from local to Vault. If the SECRET_PATH doesn't exist. vault-converter automatically create new path and push the content in there. But if the root path (secret engine path) does NOT exist, the request will be fail .

$ vault-converter push --help
Parse source file and push secrets to Vault.
Based on the extension of SOURCE_FILE to determine the file format. 
SECRET_PATH should be a absolute path at Vault and the values should 
be in JSON format.
Supports the following formats: "tfvars"

Usage:
  vault-converter push SOURCE_FILE SECRET_PATH [flags]

Flags:
  -a, --address string   Address of the Vault server. This can also be specified via the VAULT_ADDR environment variable. (default "https://dev-vault.knstats.com")
  -h, --help             help for push

Global Flags:
  -v, --version   Print version information and exit. This flag is only available at the global level.

List secret paths from Vault

List all secret paths from Vault. This feature will try to list all secret paths base on user permissions. If input path does not specify, it will return all secret.

You can list all secret paths by recursive by using -r or --recursive flags.

$ vault-converter ls --help
List all secret path in input [SECRET_PATH]. If the input [SECRET_PATH] is empty.
It will return all secret from 'root'. It will try to get all secret that current user
can 'read'.

Usage:
  vault-converter ls [SECRET_PATH] [flags]

Flags:
  -a, --address string   addr of the Auth server. This can also be specified via the VAULT_ADDR environment variable. (default "https://127.0.0.1:8200")
  -h, --help             help for ls
  -r, --recursive        List secret recursive or not.

Global Flags:
  -v, --version   Print version information and exit. This flag is only available at the global level.

About

Support converting Vault Secrets to diffrent formats.

Topics

vault terraform hashicorp-vault

Resources

Readme

License

Apache-2.0 license
Activity

Stars

17 stars

Watchers

3 watching

Forks

5 forks
Report repository

Releases 9

v0.3.1 Latest
Jul 18, 2022
+ 8 releases

Packages

No packages published

Languages