Dump your Hashicorp Vault KV version 2 secrets engine contents to a file. Inspired by vault-backup but updated to work with KV version 2 only. Not guaranteed to be consistent.
Note: if you are looking for a more mature tool, go for https://github.com/jonasvinther/medusa! Or have a look at https://github.com/kir4h/rvault :)
In addition to the environment variables like VAULT_ADDR that the hvac Python client for Hashicorp Vault implicitly uses, the following are used by this script:
PYTHONIOENCODINGis used to ensure your keys are exported in valid encoding, make sure to use the same during import/exportVAULT_DUMP_MOUNTPOINToptionally passed asmount_pointargument to the hvac Python clientVAULT_DUMP_PATH_PREFIXoptionally can be used to only dump a sub path (e.g."my/nested/path/") of the KV version 2 secrets engine
You need to have the vault CLI tool and pipenv installed.
vault login # with auth method of your choice
pipenv install # reads dependencies from Pipfile
export PYTHONIOENCODING="utf-8"
export VAULT_DUMP_MOUNTPOINT="/mysecrets/"
python vault-dump-kv2.py > mysecrets.txtThe generated script can be run with sh mysecrets.txt but beware that all keys in the target Vault will be overwritten on import!
To run all checks and tests locally do:
export PYTHONIOENCODING="utf-8"
export VAULT_ADDR="http://127.0.0.1:8200"
export VAULT_DEV_ROOT_TOKEN_ID="test"
docker run -d --name vault -p 8200:8200 -e VAULT_DEV_ROOT_TOKEN_ID vault
makeAlternatively you can also open a Pull Request against this repository and let the CI run the checks and tests.