Skip to main content

CLI tool for hashicorp vault

Project description

CLI tool for Hashicorp Vault

This tools allows simple interactions with the vault API, allowing configuration to be done in a separate step using a YAML configuration file.

This is especially interesting if you interact with Hashicorp Vault from automated deployment tools

Installation

The tool is packaged but the package is not yet available on pypi.

pip install vault-cli

If you wish to use the hvac backend, install with

pip install vault-cli[hvac]

Usage

Usage: vault [OPTIONS] COMMAND [ARGS]...

  Interact with a Vault. See subcommands for details.

  All arguments can be passed by environment variables:
  VAULT_CLI_UPPERCASE_NAME (including VAULT_CLI_PASSWORD and
  VAULT_CLI_TOKEN).

Options:
  -U, --url TEXT               URL of the vault instance
  --verify / --no-verify       Verify HTTPS certificate
  --ca-bundle PATH             Location of the bundle containing the server
                               certificate to check against.
  -c, --certificate-file PATH  Certificate to connect to vault. Configuration
                               file can also contain a "certificate" key.
  -T, --token-file PATH        File which contains the token to connect to
                               Vault. Configuration file can also contain a
                               "token" key.
  -u, --username TEXT          Username used for userpass authentication
  -w, --password-file PATH     Can read from stdin if "-" is used as
                               parameter. Configuration file can also contain
                               a "password" key.
  -b, --base-path TEXT         Base path for requests
  --backend TEXT               Name of the backend to use (requests, hvac)
  -v, --verbose                Use multiple times to increase verbosity
  --config-file PATH           Config file to use. Use 'no' to disable config
                               file. Default value: first of ./.vault.yml,
                               ~/.vault.yml, /etc/vault.yml
  -h, --help                   Show this message and exit.

Commands:
  delete       Deletes a single secret.
  delete-all   Delete multiple secrets.
  dump-config  Displays settings in the format of a config file.
  env          Launches a command, loading secrets in environment.
  get          Return a single secret value.
  get-all      Return multiple secrets.
  list         List all the secrets at the given path.
  set          Set a single secret to the given value(s).

Authentication

There are three ways to authenticate against the vault:

  • Username and password file: provide a username and a file to read the password from. The file may be - for stdin.
  • Certificate: provide the path to a certificate file. The file may also be read from stdin via -.
  • Token: Bypass authentication step if you already have a valid token.

Examples

# Connect to https://vault.mydomain:8200/project and list the secrets
$ vault --url=https://vault.mydomain:8200 --certificate=/etc/vault/certificate.key --base-path=project/ list
['mysecret']

# Using the configuration file, get the value for my_secret (yaml format)
$ vault get my_secret
--- qwerty
...

# Same with only the value of the secret in plain text
$ vault get my_secret --text
qwerty

# Add another secret
$ vault set my_other_secret supersecret
Done

# Add a secret object
$ vault set --yaml blob_secret "{code: supercode}"
Done

# Get all values from the vault in a single command (yaml format)
$ vault get-all
---
my_secret: qwerty
my_other_secret: supersecret
blob_secret:
  code: supercode
test:
  my_folder_secret: sesame

# Get a nested secret based on a path
$ vault get-all test/my_folder_secret
test:
  my_folder_secret: sesame

# Get all values from a folder in a single command (yaml format)
$ vault get-all test my_secret
---
my_secret: qwerty
test:
  my_folder_secret: sesame

# Delete a secret
$ vault delete my_other_secret
Done

# Launch a process with all secrets from folder blob_secret as environment variables
$ vault bootstrap-env --path blob_secret -- env
...
code=supercode
...

# Recreate a configuration file based on the current settings
$ vault --url https://something --token mytoken dump-config > .vault.yaml

# Delete everything under blob-secret
$ vault delete-all blob-secret

# Delete everything, no confirmation
$ vault delete-all --force

Configuration

The first file found in the following location is read, parsed and used:

  1. /etc/vault.yml
  2. ~/.vault.yml
  3. ./.vault.yml

Any option passed as command line flag will be used over the corresponding option in the documentation (use either - or _).

The expected format of the configuration is a mapping, with option names and their corresponding values:

---
username: my_username
password-file: ~/.vault-password
# or
token-file: ~/.vault-token
url: https://vault.mydomain:8200
verify: no
base-path: project/
...

Make sure the secret files have their permissions set accordingly.

For simple cases, you can directly define your token or password in the file:

---
username: my_username
password: secret-password
# or
token: secret-token
url: https://vault.mydomain:8200
verify: no
base-path: project/
...

If you do so, make sure the permissions of the configuration file itself are not too broad

Just note that the --verify / --no-verify flag become verify: yes or verify: no

All parameters can be defined from environment variables:

$ VAULT_CLI_URL=https://myvault.com vault list

The name is always the uppercase underscored name of the equivalent command line option. Token and password can also be passed as environment variables as VAULT_CLI_TOKEN and VAULT_CLI_PASSWORD.

State

The tool is currently in beta mode. It's missing docs, linting, and such. Be warned.

License

Copyright 2018 PeopleDoc

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

vault-cli-0.4.0.tar.gz (13.0 kB view details)

Uploaded Source

Built Distribution

vault_cli-0.4.0-py2.py3-none-any.whl (18.7 kB view details)

Uploaded Python 2 Python 3

File details

Details for the file vault-cli-0.4.0.tar.gz.

File metadata

  • Download URL: vault-cli-0.4.0.tar.gz
  • Upload date:
  • Size: 13.0 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/1.13.0 pkginfo/1.5.0.1 requests/2.21.0 setuptools/40.5.0 requests-toolbelt/0.9.1 tqdm/4.31.1 CPython/3.6.7

File hashes

Hashes for vault-cli-0.4.0.tar.gz
Algorithm Hash digest
SHA256 cdce5ad3ee8a630829c002e369c1525dd0da59dff1be96c566b37fb3c7be5e5b
MD5 c350e944701cab601bea6edfcddc2ec7
BLAKE2b-256 af5461e6c643949871642485f0a90be70371c2b3521a0a90779f0bdae383d2e0

See more details on using hashes here.

File details

Details for the file vault_cli-0.4.0-py2.py3-none-any.whl.

File metadata

  • Download URL: vault_cli-0.4.0-py2.py3-none-any.whl
  • Upload date:
  • Size: 18.7 kB
  • Tags: Python 2, Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/1.13.0 pkginfo/1.5.0.1 requests/2.21.0 setuptools/40.5.0 requests-toolbelt/0.9.1 tqdm/4.31.1 CPython/3.6.7

File hashes

Hashes for vault_cli-0.4.0-py2.py3-none-any.whl
Algorithm Hash digest
SHA256 35fe9e1af152cbc3c3c513f2302892a91936f7758d27c750827f4aa8fa0b0daf
MD5 c258e5bd811db4f5d9ccfc17f49508c1
BLAKE2b-256 7cc1697cda517855856ba16770d870c5588fe9e7621f58a4fb2daf99f71696ed

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page