Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/vietanhduong/vault-converter
Support converting Vault Secrets to diffrent formats.
https://github.com/vietanhduong/vault-converter
hashicorp-vault terraform vault
Last synced: 2 months ago
JSON representation
Support converting Vault Secrets to diffrent formats.
- Host: GitHub
- URL: https://github.com/vietanhduong/vault-converter
- Owner: vietanhduong
- License: apache-2.0
- Created: 2021-10-10T01:48:51.000Z (over 3 years ago)
- Default Branch: master
- Last Pushed: 2023-08-30T14:22:43.000Z (over 1 year ago)
- Last Synced: 2024-06-19T01:59:59.505Z (7 months ago)
- Topics: hashicorp-vault, terraform, vault
- Language: Go
- Homepage:
- Size: 5.87 MB
- Stars: 17
- Watchers: 3
- Forks: 5
- Open Issues: 1
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# Vault Converter
[](https://opensource.org/licenses/Apache-2.0)
[](https://github.com/vietanhduong/vault-converter/actions/workflows/ci.yaml)
**Support converting Vault Secrets to different formats.**
`vault-converter` is a tool designed to synchronize variables from local to Vault and vice versa.
**Supported extensions:**
* tfvars
* env
`vault-converter` uses Vault authentication method as **userpass** with fixed path **userpass/**. But you still can
authenticate with **token** method by create a file contain client token at **"$HOME/.vault-token"**.
Secret Engine supports **Key/Value Version 2** *(kv2)*.
## Installation
### Binaries (recommended)
Download your preferred asset from the [releases page](https://github.com/vietanhduong/vault-converter/releases) and
install manually.
### Source code
```shell
# clone repo to some directory outside GOPATH
git clone https://github.com/vietanhduong/vault-converter
cd vault-converter
go mod download
go build .
```
## Usage
Currently, `vault-converter` supports synchronize variables from Vault to local and vice versa.
```console
$ vault-converter --help
Convert to file from Vault. Support multiple file format like '.tfvars', '.env'
Usage:
vault-converter [flags]
vault-converter [command]
Available Commands:
auth Authenticates users to Vault
completion generate the autocompletion script for the specified shell
help Help about any command
pull Pull secrets from Vault and convert to file
push Parse source file and push to Vault
Flags:
-h, --help help for vault-converter
-v, --version Print version information and exit. This flag is only available at the global level.
Use "vault-converter [command] --help" for more information about a command.
```
### Authenticate
User authentication with Vault
```console
$ vault-converter auth --help
Authenticates users to Vault using the provided arguments.
Method using: 'userpass'. The path of 'userpass' should be 'userpass/'
Usage:
vault-converter auth [flags]
Flags:
-a, --address string Address of the Vault server. This can also be specified via the VAULT_ADDR environment variable. (default "https://dev-vault.knstats.com")
-h, --help help for auth
-p, --password string The user's password. This can also be specified via the VAULT_PASSWORD environment variables.
-u, --username string The username to authenticate with Vault server. This can also be specified via the VAULT_USER environment variables.
Global Flags:
-v, --version Print version information and exit. This flag is only available at the global level.
```
### Sync variables from Vault to local
When you pull variables from Vault to local. `vault-convert` automatically override the content to the output file. Keep
it in mind, if you don't want your variables to disappear.
```console
$ vault-converter pull --help
Pull secrets from Vault with specified secret path and convert to file.
SECRET_PATH should be a absolute path at Vault and the values should be in JSON format.
Supports the following formats: "tfvars"
Usage:
vault-converter pull SECRET_PATH [flags]
Flags:
-a, --address string Address of the Vault server. This can also be specified via the VAULT_ADDR environment variable. (default "https://dev-vault.knstats.com")
-f, --format string Output format (default "tfvars")
-h, --help help for pull
-o, --output string Output path. E.g: ~/data/variables.auto.tfvars (default "variables.auto.tfvars")
Global Flags:
-v, --version Print version information and exit. This flag is only available at the global level.
```
### Sync variables from local to Vault
Sync variables from local to Vault. If the `SECRET_PATH` doesn't exist. `vault-converter` automatically create new path
and push the content in there. But if the root path *(secret engine path)* does NOT exist, the request will be **fail**
.
```console
$ vault-converter push --help
Parse source file and push secrets to Vault.
Based on the extension of SOURCE_FILE to determine the file format.
SECRET_PATH should be a absolute path at Vault and the values should
be in JSON format.
Supports the following formats: "tfvars"
Usage:
vault-converter push SOURCE_FILE SECRET_PATH [flags]
Flags:
-a, --address string Address of the Vault server. This can also be specified via the VAULT_ADDR environment variable. (default "https://dev-vault.knstats.com")
-h, --help help for push
Global Flags:
-v, --version Print version information and exit. This flag is only available at the global level.
```
### List secret paths from Vault
List all secret paths from Vault. This feature will try to list all secret paths base on user permissions. If input path
does not specify, it will return all secret.
You can list all secret paths by recursive by using `-r or --recursive` flags.
```console
$ vault-converter ls --help
List all secret path in input [SECRET_PATH]. If the input [SECRET_PATH] is empty.
It will return all secret from 'root'. It will try to get all secret that current user
can 'read'.
Usage:
vault-converter ls [SECRET_PATH] [flags]
Flags:
-a, --address string addr of the Auth server. This can also be specified via the VAULT_ADDR environment variable. (default "https://127.0.0.1:8200")
-h, --help help for ls
-r, --recursive List secret recursive or not.
Global Flags:
-v, --version Print version information and exit. This flag is only available at the global level.
```