Dump your Hashicorp Vault KV version 2 secrets engine contents to a file. Inspired by vault-backup but updated to work with KV version 2 only. Not guaranteed to be consistent.
Note: if you are looking for a more mature tool, go for https://github.com/jonasvinther/medusa! Or have a look at https://github.com/kir4h/rvault :)
In addition to the environment variables like VAULT_ADDR
that the hvac Python client for Hashicorp Vault implicitly uses, the following are used by this script:
PYTHONIOENCODING
is used to ensure your keys are exported in valid encoding, make sure to use the same during import/exportVAULT_DUMP_MOUNTPOINT
optionally passed asmount_point
argument to the hvac Python clientVAULT_DUMP_PATH_PREFIX
optionally can be used to only dump a sub path (e.g."my/nested/path/"
) of the KV version 2 secrets engine
You need to have the vault
CLI tool and pipenv installed.
vault login # with auth method of your choice
pipenv install # reads dependencies from Pipfile
export PYTHONIOENCODING="utf-8"
export VAULT_DUMP_MOUNTPOINT="/mysecrets/"
python vault-dump-kv2.py > mysecrets.txt
The generated script can be run with sh mysecrets.txt
but beware that all keys in the target Vault will be overwritten on import!
To run all checks and tests locally do:
export PYTHONIOENCODING="utf-8"
export VAULT_ADDR="http://127.0.0.1:8200"
export VAULT_DEV_ROOT_TOKEN_ID="test"
docker run -d --name vault -p 8200:8200 -e VAULT_DEV_ROOT_TOKEN_ID vault
make
Alternatively you can also open a Pull Request against this repository and let the CI run the checks and tests.