CLI tool for hashicorp vault
Project description
CLI tool for Hashicorp Vault
This tools allows simple interactions with the vault API, allowing configuration to be done in a separate step using a YAML configuration file.
This is especially interesting if you interact with Hashicorp Vault from automated deployment tools
Installation
The tool is packaged but the package is not yet available on pypi.
pip install vault-cli
If you wish to use the hvac backend, install with
pip install vault-cli[hvac]
Usage
Usage: vault [OPTIONS] COMMAND [ARGS]...
Interact with a Vault. See subcommands for details.
All arguments can be passed by environment variables:
VAULT_CLI_UPPERCASE_NAME (including VAULT_CLI_PASSWORD and
VAULT_CLI_TOKEN).
Options:
-U, --url TEXT URL of the vault instance
--verify / --no-verify Verify HTTPS certificate
-c, --certificate-file PATH Certificate to connect to vault. Configuration
file can also contain a "certificate" key.
-T, --token-file PATH File which contains the token to connect to
Vault. Configuration file can also contain a
"token" key.
-u, --username TEXT Username used for userpass authentication
-w, --password-file PATH Can read from stdin if "-" is used as
parameter. Configuration file can also contain
a "password" key.
-b, --base-path TEXT Base path for requests
--backend TEXT Name of the backend to use (requests, hvac)
--config-file PATH Config file to use. Use 'no' to disable config
file. Default value: first of ./.vault.yml,
~/.vault.yml, /etc/vault.yml
-h, --help Show this message and exit.
Commands:
delete Deletes a single secret.
get Return a single secret value.
get-all Return multiple secrets.
list List all the secrets at the given path.
set Set a single secret to the given value(s).
Authentication
There are three ways to authenticate against the vault:
- Username and password file: provide a username and a file to read the
password from. The file may be
-
for stdin. - Certificate: provide the path to a certificate file. The file may also be
read from stdin via
-
. - Token: Bypass authentication step if you already have a valid token.
Examples
# Connect to https://vault.mydomain:8200/project and list the secrets
$ vault --url=https://vault.mydomain:8200 --certificate=/etc/vault/certificate.key --base-path=project/ list
['mysecret']
# Using the configuration file, get the value for my_secret (yaml format)
$ vault get my_secret
--- qwerty
...
# Same with only the value of the secret in plain text
$ vault get my_secret --text
qwerty
# Add another secret
$ vault set my_other_secret supersecret
Done
# Add a secret object
$ vault set --yaml blob_secret "{code: supercode}"
Done
# Get all values from the vault in a single command (yaml format)
$ vault get-all
---
my_secret: qwerty
my_other_secret: supersecret
blob_secret:
code: supercode
test:
my_folder_secret: sesame
# Get a nested secret based on a path
$ vault get-all test/my_folder_secret
test:
my_folder_secret: sesame
# Get all values from a folder in a single command (yaml format)
$ vault get-all test my_secret
---
my_secret: qwerty
test:
my_folder_secret: sesame
# Delete a secret
$ vault delete my_other_secret
Done
Configuration
The first file found in the following location is read, parsed and used:
/etc/vault.yml
~/.vault.yml
./.vault.yml
Any option passed as command line flag will be used over the corresponding
option in the documentation (use either -
or _
).
The expected format of the configuration is a mapping, with option names and their corresponding values:
---
username: my_username
password-file: ~/.vault-password
# or
token-file: ~/.vault-token
url: https://vault.mydomain:8200
verify: no
base-path: project/
...
Make sure the secret files have their permissions set accordingly.
For simple cases, you can directly define your token
or password
in the
file:
---
username: my_username
password: secret-password
# or
token: secret-token
url: https://vault.mydomain:8200
verify: no
base-path: project/
...
If you do so, make sure the permissions of the configuration file itself are not too broad
Just note that the --verify / --no-verify
flag become verify: yes
or
verify: no
All parameters can be defined from environment variables:
$ VAULT_CLI_URL=https://myvault.com vault list
The name is always the uppercase underscored name of the equivalent command line option. Token and password can also be passed as environment variables as VAULT_CLI_TOKEN and VAULT_CLI_PASSWORD.
State
The tool is currently in beta mode. It's missing docs, linting, and such. Be warned.
License
Copyright 2018 PeopleDoc
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
File details
Details for the file vault-cli-0.3.4.tar.gz
.
File metadata
- Download URL: vault-cli-0.3.4.tar.gz
- Upload date:
- Size: 10.9 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/1.11.0 pkginfo/1.4.2 requests/2.18.4 setuptools/39.0.1 requests-toolbelt/0.8.0 tqdm/4.24.0 CPython/3.6.3
File hashes
Algorithm | Hash digest | |
---|---|---|
SHA256 | 2dba2a2aa2d0bd871a9043ff0d80840a3d2bb8712439d993c06cbcf9866a8c52 |
|
MD5 | aafc679da6d70c7a32a665d0669a2c17 |
|
BLAKE2b-256 | 8dfc848d7446967a221ff33aa2dbf17ff472a85a692b511ae84dc2f42f143345 |
File details
Details for the file vault_cli-0.3.4-py2.py3-none-any.whl
.
File metadata
- Download URL: vault_cli-0.3.4-py2.py3-none-any.whl
- Upload date:
- Size: 13.5 kB
- Tags: Python 2, Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/1.11.0 pkginfo/1.4.2 requests/2.18.4 setuptools/39.0.1 requests-toolbelt/0.8.0 tqdm/4.24.0 CPython/3.6.3
File hashes
Algorithm | Hash digest | |
---|---|---|
SHA256 | a647c6a421e7a428243348302d51ff207fec34d84a51db2e1651343b74e050c1 |
|
MD5 | 3e219aa438631f6284a90841af8bfe4d |
|
BLAKE2b-256 | d024507e2cf0e7d035b8fdabbdc7f062625385b96c96fc437c506a91fc61c759 |