https://github.com/pbar1/vault-init
Initializes HashiCorp Vault and saves the root token and keys in providers of your choice
https://github.com/pbar1/vault-init
aws kubernetes vault
Last synced: 4 months ago
JSON representation
Initializes HashiCorp Vault and saves the root token and keys in providers of your choice
- Host: GitHub
- URL: https://github.com/pbar1/vault-init
- Owner: pbar1
- License: mit
- Created: 2021-02-09T03:30:07.000Z (over 5 years ago)
- Default Branch: main
- Last Pushed: 2023-06-27T07:53:13.000Z (about 3 years ago)
- Last Synced: 2025-10-29T11:43:04.886Z (8 months ago)
- Topics: aws, kubernetes, vault
- Language: Rust
- Homepage:
- Size: 13.2 MB
- Stars: 4
- Watchers: 1
- Forks: 1
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# vault-init
[](https://github.com/pbar1/vault-init/actions/workflows/build.yml)
Initializes HashiCorp Vault and saves the root token and keys in a provider of your choice.
```sh
docker pull ghcr.io/pbar1/vault-init
```
## Usage
### CLI
```
Initialize an instance of `HashiCorp` Vault and persist the keys
Usage: vault-init [OPTIONS]
Options:
--vault-addr
Address of the Vault server expressed as a URL and port [env: VAULT_ADDR=] [default: http://127.0.0.1:8200]
--pgp-keys
Specifies an array of PGP public keys used to encrypt the output unseal keys. Ordering is preserved. The keys must be base64-encoded from their original binary representation. The size of this array must be the same as `secret_shares`
--root-token-pgp-key
Specifies a PGP public key used to encrypt the initial root token. The key must be base64-encoded from its original binary representations
--secret-shares
Specifies the number of shares to split the root key into [default: 1]
--secret-threshold
Specifies the number of shares required to reconstruct the root key. This must be less than or equal `secret_shares` [default: 1]
--stored-shares
Specifies the number of shares that should be encrypted by the HSM and stored for auto-unsealing. Currently must be the same as `secret_shares`
--recovery-shares
Specifies the number of shares to split the recovery key into. This is only available when using Auto Unseal
--recovery-threshold
Specifies the number of shares required to reconstruct the recovery key. This must be less than or equal to recovery_shares. This is only available when using Auto Unseal
--recovery-pgp-keys
Specifies an array of PGP public keys used to encrypt the output recovery keys. Ordering is preserved. The keys must be base64-encoded from their original binary representation. The size of this array must be the same as `recovery_shares`. This is only available when using Auto Unseal
-h, --help
Print help
```
### Config
```hcl
save_method "file" {
path = "vault-init.json"
overwrite = true
}
save_method "kube_secret" {
name = "vault-init"
key = "init.json"
overwrite = true
labels = {
"foo" = "foo"
}
annotations = {
"example.com/baz" = "baz"
}
}
```
[1]: https://www.vaultproject.io/docs/commands#environment-variables