Hashicorp保管库-从一个保管库导出密钥,然后导入另一个保管库

时间:2020-03-30 13:56:42

标签: hashicorp-vault

我想从一个库中导出密钥,然后将其导入另一个库中。

感觉应该有一种从命令行执行此操作的简单方法,但是我看不到抽象的简单方法来执行此操作,即完全导出然后导入密钥。

反正有这样做吗?我更喜欢使用vault脚本的命令行解决方案。

3 个答案:

答案 0 :(得分:2)

我们正在开发一个开源 cli 工具,它完全可以满足您的需求。 该工具可以在导入和导出中处理一个秘密或完整的树结构。它还支持在 Vault 实例之间的导出和导入之间对您的秘密进行端到端加密。
https://github.com/jonasvinther/medusa

export VAULT_ADDR=https://192.168.86.41:8201
export VAULT_SKIP_VERIFY=true
export VAULT_TOKEN=00000000-0000-0000-0000-000000000000

./medusa export kv/path/to/secret --format="yaml" --output="my-secrets.txt"
./medusa import kv/path/to/new/secret ./my-secrets.txt

答案 1 :(得分:1)

唯一的方法是链接两个保管库命令,这实际上是从第一个保管库中读取值,然后将其写入第二个保管库。例如:

export VAULT_TOKEN=valid-token-for1
export VAULT_ADDR=https://vault1
JSON_DATA=$(vault kv get -format json -field data secret/foo)

export VAULT_TOKEN=valid-token-for2
export VAULT_ADDR=https://vault2
echo $JSON_DATA | vault kv put secret/foo -

答案 2 :(得分:1)

将数据从一个保管库导出到另一个保管库的唯一方法是为每个密钥(和每个路径)单独执行此操作。我已经编写了一个小的 bash 脚本来为给定路径中的所有键自动执行此操作。

此脚本从源保管库中轮询每个键(对于给定路径)的数据并将其插入到目标保管库中。

您需要为源和目标保管库提供保管库 URL、令牌和 CA 证书(用于 https 身份验证)以及以下脚本中的路径(包含密钥)-

#! /usr/bin/env bash

source_vault_url="<source-vault-url>"
source_vault_token="<source_vault_token>"
source_vault_cert_path="<source_vault_cert_path>"

destination_vault_url="<destination_vault_url>"
destination_vault_token="<destination_vault_token>"
destination_vault_cert_path="<destination_vault_cert_path>"

# secret_path is the path from which the keys are to be exported from source vault to destination vault
secret_path="<path-without-slash>"

function _set_source_vault_env_variables() {
    export VAULT_ADDR=${source_vault_url}
    export VAULT_TOKEN=${source_vault_token}
    export VAULT_CACERT=${source_vault_cert_path}
}

function _set_destination_vault_env_variables() {
    export VAULT_ADDR=${destination_vault_url}
    export VAULT_TOKEN=${destination_vault_token}
    export VAULT_CACERT=${destination_vault_cert_path}  
}

_set_destination_vault_env_variables

printf "Enabling kv-v2 secret at the path ${secret_path} in the destination vault -\n"
vault secrets enable -path=${secret_path}/ kv-v2 || true

_set_source_vault_env_variables

# getting all the keys in the given path from source vault
keys=$(vault kv list ${secret_path}/ | sed '1,2d')

# iterating though each key in source vault (in the given path) and inserting the same into destination vault
printf "Exporting keys from source vault ${source_vault_url} at path ${secret_path}/ ... \n" 
for key in ${keys}
do

    _set_source_vault_env_variables

    key_data_json=$(vault kv get -format json -field data ${secret_path}/${key})

    printf "${key} ${key_data_json}\n"

    _set_destination_vault_env_variables

    # echo ${key_data_json} | vault kv put ${secret_path}/${key} -
done

printf "Export Complete!\n" 

# listing all the keys (in the given path) in the destination vault
printf "Keys in the destination vault ${destination_vault_url} at path ${secret_path}/ -\n"
vault kv list ${secret_path}
相关问题
最新问题