vsh is an interactive HashiCorp Vault shell which treats vault secret paths like directories. That way you can do recursive operations on the paths. Both, vault KV v1 and v2 are supported. Further, copying/moving secrets between both versions is supported.
vsh can also act as an executor in a non-interactive way (similar to
bash -c "<cmd>").
Integration tests are running against vault
mv <from-path> <to-path> cp <from-path> <to-path> rm <dir-path or filel-path> ls <dir-path // optional> cd <dir-path> cat <file-path>
rm always have the
-r flag implied, i.e., every operation works recursively on the paths.
export VAULT_ADDR=http://localhost:8080 export VAULT_TOKEN=root export VAULT_PATH=secret/ # VAULT_PATH is optional ./vsh http://localhost:8080 /secret/>
Note: in order to query the root
VAULT_TOKEN should have permissions to list the available secret backends (
In case you do not have those permissions you can use
VAULT_PATH to set the start path and avoid queries on
Note: the given token is used for auto-completion, i.e., quite some
List() queries are done with that token, even if you do not
If your token has a limited number of uses, then consider using the non-interactive mode to avoid auto-completion queries.
export VAULT_ADDR=<addr> export VAULT_TOKEN=<token> ./vsh -c "rm secret/dir/to/remove/"
dockerfor integration testing
makefor simplified commands
make compile make integration-test
- sys/mounts/ permission needed at the moment for auto-completion --> disable auto-completion on top level if permission not given
mvbehaves a little different from UNIX.
mv /secret/source/a /secret/target/should yield
List()queries to reduce IO / token usage (?)
- more integration tests!