layout | page_title | description |
---|---|---|
docs |
operator import - Command |
The "operator import" command imports secrets from external systems in to Vault. |
@include 'alerts/enterprise-only.mdx'
@include 'alerts/alpha.mdx'
The operator import
command imports secrets from external systems in to Vault.
Secrets with the same name at the same storage path will be overwritten upon import.
You can write import plans that read from as many sources as you want. The amount of data migrated from each source depends on the filters applied and the dataset available. Be mindful of the time needed to read from each source, apply any filters, and store the data in Vault.
Read the config file import.hcl
to generate a new import plan:
$ vault operator import -config import.hcl plan
Output:
-----------
Import plan
-----------
The following namespaces are missing:
* ns-1/
The following mounts are missing:
* ns-1/mount-1
Secrets to be imported to the destination "my-dest-1":
* secret-1
* secret-2
The operator import
command uses a dedicated configuration file to specify the source,
destination, and mapping rules. To learn more about these types and secrets importing in
general, refer to the Secrets Import documentation.
source_gcp {
name = "my-gcp-source-1"
credentials = "@/path/to/service-account-key.json"
}
destination_vault {
name = "my-dest-1"
address = "http://127.0.0.1:8200/"
token = "root"
namespace = "ns-1"
mount = "mount-1"
}
mapping_passthrough {
name = "my-map-1"
source = "my-gcp-1"
destination = "my-dest-1"
priority = 1
}
-
plan
- Executes a read-only operation to let operators preview the secrets to import based on the configuration file. -
apply
- Executes the import operations to read the specified secrets from the source and write them into Vault. Apply first executes a plan, then asks the user to approve the results before performing the actual import.
The operator import
command accepts the following flags:
-
-config
(string: "import.hcl")
- Path to the import configuration HCL file. The default path isimport.hcl
. -
-auto-approve
(bool: <false>)
- Automatically responds "yes" to all user-input prompts for theapply
command. -
-auto-create
(bool: <false>)
- Automatically creates any missing namespaces and KVv2 mounts when running theapply
command. -
-log-level
((#_log_level))(string: "info")
- Log verbosity level. Supported values (in order of descending detail) aretrace
,debug
,info
,warn
, anderror
. You can also set log-level with theVAULT_LOG_LEVEL
environment variable.