Skip to content
vsh - HashiCorp Vault interactive shell
Go Shell Makefile
Branch: master
Clone or download
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
.circleci
cli
client
completer
log
test .gif and test adjustment (#9) Oct 7, 2019
vendor
.codeclimate.yml
.gitignore
CHANGELOG.md
LICENSE
Makefile
README.md More sanity checks + docu (#11) Oct 8, 2019
go.mod
go.sum Initial push (#1) Sep 1, 2019
main.go

README.md

Status

CircleCI Go Report Card Code Climate

vsh

vsh usage

vsh is an interactive HashiCorp Vault shell which treats vault secret paths like directories. That way you can do recursive operations on the paths. Both, vault KV v1 and v2 are supported. Further, copying/moving secrets between both versions is supported.

vsh can also act as an executor in a non-interactive way (similar to bash -c "<cmd>").

Integration tests are running against vault 1.2.2.

Supported commands

mv <from-path> <to-path>
cp <from-path> <to-path>
rm <dir-path or filel-path>
ls <dir-path // optional>
cd <dir-path>
cat <file-path>

Unlike unix, cp and rm always have the -r flag implied, i.e., every operation works recursively on the paths.

Interactive mode

export VAULT_ADDR=http://localhost:8080
export VAULT_TOKEN=root
export VAULT_PATH=secret/  # VAULT_PATH is optional
./vsh
http://localhost:8080 /secret/> 

Note: in order to query the root / the VAULT_TOKEN should have permissions to list the available secret backends (sys/mounts/). In case you do not have those permissions you can use VAULT_PATH to set the start path and avoid queries on sys/mounts/.

Note: the given token is used for auto-completion, i.e., quite some List() queries are done with that token, even if you do not rm or mv anything. If your token has a limited number of uses, then consider using the non-interactive mode to avoid auto-completion queries.

Non-interactive mode

export VAULT_ADDR=<addr>
export VAULT_TOKEN=<token>
./vsh -c "rm secret/dir/to/remove/"

Local Development

Requirements:

  • golang v1.12.7
  • docker for integration testing
  • make for simplified commands
make compile
make integration-test

TODOs

  • sys/mounts/ permission needed at the moment for auto-completion --> disable auto-completion on top level if permission not given
  • tree command
  • currently mv behaves a little different from UNIX. mv /secret/source/a /secret/target/ should yield /secret/target/a
  • caching List() queries to reduce IO / token usage (?)
  • more integration tests!
You can’t perform that action at this time.