New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add -recursive option to list command #2142
Conversation
E.g.: ``` $ vault write cubbyhole/how/deep/is/this/mess depth="pretty deep" Success! Data written to: cubbyhole/how/deep/is/this/mess $ vault write cubbyhole/how/deep/does/this/go depth="pretty deep" Success! Data written to: cubbyhole/how/deep/does/this/go $ vault write cubbyhole/test hello=world Success! Data written to: cubbyhole/test $ bin/vault list -recursive cubbyhole/ Keys ---- cubbyhole/how/ cubbyhole/how/deep/ cubbyhole/how/deep/does/ cubbyhole/how/deep/does/this/ cubbyhole/how/deep/does/this/go cubbyhole/how/deep/is/ cubbyhole/how/deep/is/this/ cubbyhole/how/deep/is/this/mess cubbyhole/test ```
Definitely improved from a user perspective. Does this take ACLs into account? I.e., can you only see the keys that you have permission to see? Or do you see everything, even if you can't access it? Also, how would you see that |
I haven't tested ACLs but I would suspect it would work similar to how You can't see |
FYI. Today is my last day of work at my current company. I do not know if my new company will be using Vault or not. So if folks want me to update this PR, it's more likely to get done today. Otherwise, someone might have to take over this work if I don't have the bandwidth to do it. |
Hi @msabramo, We've done some talking internally and we think we'll eventually add functionality to support recursion but in a way that can be properly ACL'd. (There are features coming down the line that will allow this.) That way a client doesn't need to make many calls to Vault and Vault can make fewer calls to the backend. |
Thanks though! |
@jefferai any ticket or way to track that? i would like to know when it is done, without having to check in each release |
Note that that being merged does not automatically mean that this enhancement would be accepted without some discussion. It just means that without that there's no way we would consider a sever-side implementation in the first place. |
Is it possible to use |
Seems very sad this feature was never implemented since it would be so incredibly useful just to see whats available. Assuming a new user needs to see what keys are available, a simple list allows for this. Anyone got suggestions for alternatives? |
In case this is useful for anyone else, I threw this together in Python. I'm really rusty on my iteration skills, so please forgive an Ops guy for not being a developer. Anyway, you'll need to install the import hvac
vlt = hvac.Client(url='http://127.0.0.1:8200', token='supersecretsquirrel')
def enum_vault(path=['secret/']):
stuff = vlt.list("".join(path))
try:
keys = stuff['data']['keys']
except TypeError:
keys = []
for k in keys:
if k.endswith('/'):
path.append(str(k))
enum_vault(path)
path.pop()
else:
pathstr = "".join(path) + str(k)
print(pathstr + " ==> " + str(vlt.read(pathstr)['data']))
enum_vault() This yields output similar to this:
Good luck, you lovely open sourcerers! |
I made some changes to the @pwhack snippet, so that it's more programmable.
|
A shell implementation: https://github.com/xuwang/vault-scripts/blob/master/vault-list-tree.sh. It's just for KV (v1,v2) store, not other paths. |
E.g.:
Doesn't have tests yet, but I want to see if people like the idea of this feature first. (I will gladly accept a PR thats adds tests :-)).
Alternative to #2135