Support converting Vault Secrets to different formats.
vault-converter
is a tool designed to synchronize variables from local to Vault and vice versa.
Supported extensions:
- tfvars
- env
vault-converter
uses Vault authentication method as userpass with fixed path userpass/. But you still can
authenticate with token method by create a file contain client token at "$HOME/.vault-token".
Secret Engine supports Key/Value Version 2 (kv2).
Download your preferred asset from the releases page and install manually.
# clone repo to some directory outside GOPATH
git clone https://github.com/vietanhduong/vault-converter
cd vault-converter
go mod download
go build .
Currently, vault-converter
supports synchronize variables from Vault to local and vice versa.
$ vault-converter --help
Convert to file from Vault. Support multiple file format like '.tfvars', '.env'
Usage:
vault-converter [flags]
vault-converter [command]
Available Commands:
auth Authenticates users to Vault
completion generate the autocompletion script for the specified shell
help Help about any command
pull Pull secrets from Vault and convert to file
push Parse source file and push to Vault
Flags:
-h, --help help for vault-converter
-v, --version Print version information and exit. This flag is only available at the global level.
Use "vault-converter [command] --help" for more information about a command.
User authentication with Vault
$ vault-converter auth --help
Authenticates users to Vault using the provided arguments.
Method using: 'userpass'. The path of 'userpass' should be 'userpass/'
Usage:
vault-converter auth [flags]
Flags:
-a, --address string Address of the Vault server. This can also be specified via the VAULT_ADDR environment variable. (default "https://dev-vault.knstats.com")
-h, --help help for auth
-p, --password string The user's password. This can also be specified via the VAULT_PASSWORD environment variables.
-u, --username string The username to authenticate with Vault server. This can also be specified via the VAULT_USER environment variables.
Global Flags:
-v, --version Print version information and exit. This flag is only available at the global level.
When you pull variables from Vault to local. vault-convert
automatically override the content to the output file. Keep
it in mind, if you don't want your variables to disappear.
$ vault-converter pull --help
Pull secrets from Vault with specified secret path and convert to file.
SECRET_PATH should be a absolute path at Vault and the values should be in JSON format.
Supports the following formats: "tfvars"
Usage:
vault-converter pull SECRET_PATH [flags]
Flags:
-a, --address string Address of the Vault server. This can also be specified via the VAULT_ADDR environment variable. (default "https://dev-vault.knstats.com")
-f, --format string Output format (default "tfvars")
-h, --help help for pull
-o, --output string Output path. E.g: ~/data/variables.auto.tfvars (default "variables.auto.tfvars")
Global Flags:
-v, --version Print version information and exit. This flag is only available at the global level.
Sync variables from local to Vault. If the SECRET_PATH
doesn't exist. vault-converter
automatically create new path
and push the content in there. But if the root path (secret engine path) does NOT exist, the request will be fail
.
$ vault-converter push --help
Parse source file and push secrets to Vault.
Based on the extension of SOURCE_FILE to determine the file format.
SECRET_PATH should be a absolute path at Vault and the values should
be in JSON format.
Supports the following formats: "tfvars"
Usage:
vault-converter push SOURCE_FILE SECRET_PATH [flags]
Flags:
-a, --address string Address of the Vault server. This can also be specified via the VAULT_ADDR environment variable. (default "https://dev-vault.knstats.com")
-h, --help help for push
Global Flags:
-v, --version Print version information and exit. This flag is only available at the global level.
List all secret paths from Vault. This feature will try to list all secret paths base on user permissions. If input path does not specify, it will return all secret.
You can list all secret paths by recursive by using -r or --recursive
flags.
$ vault-converter ls --help
List all secret path in input [SECRET_PATH]. If the input [SECRET_PATH] is empty.
It will return all secret from 'root'. It will try to get all secret that current user
can 'read'.
Usage:
vault-converter ls [SECRET_PATH] [flags]
Flags:
-a, --address string addr of the Auth server. This can also be specified via the VAULT_ADDR environment variable. (default "https://127.0.0.1:8200")
-h, --help help for ls
-r, --recursive List secret recursive or not.
Global Flags:
-v, --version Print version information and exit. This flag is only available at the global level.