Utility to migrate Delinea (aka Thycotic) Secret Server static secrets to Vault's KV v2 engine. More generally, it may be used to import any CSV data to Vault, provided that it is appropriately formatted.
CSV files are processed separately due to the schema differences that may be present in the source data. Individual secrets are dictated by CSV rows, while column headers dictate the "key" in resulting key/value pairs.
The "Folder" value in the CSV source is used to determine the path within the KV engine where the secret (with secret name dictated by "Secret Name" in the source) is stored in Vault.
For example, consider the following CSV data structure:
Secret Name,username,password,notes,Folder
my test account,admin,supersecret,details about this secret,\path\to\this\secret
After importing to the Vault KV v2 engine path at mountpoint kv/
, this entry
would present as the key/value pair when retrieved via the Vault CLI:
=========== Secret Path ===========
kv/data/path/to/this/secret/my_test_account
======= Metadata =======
Key Value
--- -----
created_time 2023-10-18T22:09:52.485747301Z
custom_metadata <nil>
deletion_time n/a
destroyed false
version 1
============= Data =============
Key Value
--- -----
notes details about this secret
password supersecret
username admin
- Install Go
- Clone this repository
- Compile the binary for your architecture:
cd ss2vault
go mod tidy
go build
- CSV(s) exported from Secret Server (one CSV per data schema)
- Initialized and unsealed Vault server
- Preexisting kv-v2 secrets engine
- Vault token with appropriate access to the engine
- Vault server connectivity from the location where this utility is executed
ss2vault -vaultToken $VAULT_TOKEN -vaultNamespace myNamespace -inputCsvPath /tmp/ss_data/ -vaultKvPath kv-v2
Usage of ss2vault:
-inputCsvFile string
Path to specific CSV file to be processed
-inputCsvPath string
Path to directory containing one or more CSV files to be processed
-pathSourceColumn string
CSV column header to use to determine the KV path (default "Folder")
-secretSourceColumn string
CSV column header to use for the created KV secret (default "Secret Name")
-undo
Setting this to true attempts to delete the secrets in Vault that are referenced in the CSV input file(s)
-vaultAddr string
Vault Address (default "http://127.0.0.1:8200")
-vaultKvPath string
Vault KV v2 mount path (default "kv")
-vaultNamespace string
Vault Namespace (default "root")
-vaultToken string
Vault token
-verbose
Setting this to true enables detailed output
- Spaces in paths and filenames are converted to underscores during the import process
- Illegal (non-ascii and non-alphanumeric) characters are stripped from paths (not from secrets/values)
- For generic CSV data that did not originate from Secret Server, the
-pathSourceColumn
and-secretSourceColumn
may be used to override the default behavior. These options should not be necessary under typical circumstances.