CD2H gitForager

peopledoc/vault-cli

Name: vault-cli

Owner: PeopleDoc

Description: null

Created: 2018-04-11 09:10:32.0

Updated: 2018-05-18 09:14:06.0

Pushed: 2018-05-18 09:14:04.0

Homepage: null

Size: 57

Language: Python

GitHub Committers

User	Most Recent Commit	# Commits

Other Committers

User	Email	Most Recent Commit	# Commits

README

CLI tool for Hashicorp Vault

This tools allows simple interactions with the vault API, allowing configuration to be done in a separate step using a YAML configuration file.

This is especially interesting if you interact with Hashicorp Vault from automated deployment tools

Installation

The tool is packaged but the package is not yet available on pypi.

pip install git+https://github.com/peopledoc/vault-cli.git

Usage

ult --help
e: vault [OPTIONS] COMMAND [ARGS]...

teract with a Vault. See subcommands for details.

ons:
, --url TEXT                URL of the vault instance
verify / --no-verify        Verify HTTPS certificate
, --certificate FILENAME    The certificate to connect to vault
, --token TEXT              The token to connect to Vault
, --token-file FILENAME     File which contains the token to connect to
                            Vault
, --username TEXT           The username used for userpass authentication
, --password-file FILENAME  Can read from stdin if "-" is used as
                            parameter
, --base-path TEXT          Base path for requests
, --help                    Show this message and exit.

ands:
lete   Deletes a single secret.
t      Return a single secret value.
t-all  Return multiple secrets.
st     List all the secrets at the given path.
t      Set a single secret to the given value(s).

Authentication

There are three ways to authenticate against the vault:

Username and password file: provide a username and a file to read the password from. The file may be - for stdin.
Certificate: provide the path to a certificate file. The file may also be read from stdin via -.
Token: Bypass authentication step if you already have a valid token.

Examples

nnect to https://vault.mydomain:8200/project and list the secrets
ult --url=https://vault.mydomain:8200 --certificate=/etc/vault/certificate.key --base-path=project/ list
secret']

ing the configuration file, get the value for my_secret (yaml format)
ult get my_secret
qwerty


me with only the value of the secret in plain text
ult get my_secret --text
ty

d another secret
ult set my_other_secret supersecret


d a secret object
ult set --yaml blob_secret "{code: supercode}"


t all values from the vault in a single command (yaml format)
ult get-all

ecret: qwerty
ther_secret: supersecret
_secret:
de: supercode
:
_folder_secret: sesame

t a nested secret based on a path
ult get-all test/my_folder_secret
:
_folder_secret: sesame

t all values from a folder in a single command (yaml format)
ult get-all test my_secret

ecret: qwerty
:
_folder_secret: sesame

lete a secret
ult delete my_other_secret

Configuration

All files at the following location are read (in increasing priority order), parsed, merged and used:

/etc/vault.yml
~/.vault.yml
./.vault.yml

Any option passed as command line flag will be used over the corresponding option in the documentation.

The expected format of the configuration is a mapping, with option names and their corresponding values:


name: my_username
word-file: ~/.vault-password

n-file: ~/.vault-token
 https://vault.mydomain:8200
fy: no
-path: project/

Just note that the --verify / --no-verify flag become verify: yes or verify: no

State

The tool is currently in beta mode. It's missing docs, tests, CI, pip packaging, debian packaging, and such. Be warned

This work is supported by the National Institutes of Health's National Center for Advancing Translational Sciences, Grant Number U24TR002306. This work is solely the responsibility of the creators and does not necessarily represent the official views of the National Institutes of Health.