Name: vault-kv-extract
Owner: Improbable Engineering
Description: A script for migrating hidden Vault secrets out of an etcd storage backend
Created: 2018-04-20 11:11:45.0
Updated: 2018-05-23 19:28:09.0
Pushed: 2018-04-20 16:41:25.0
Size: 5402
Language: Go
GitHub Committers
| User | Most Recent Commit | # Commits |
|---|
Other Committers
| User | Most Recent Commit | # Commits |
|---|
This repo holds the script we used to migrate hidden Vault (v0.6.5) secrets out of an etcd v3 storage backend. Read more about our migration escapade at Breaking into our own vault of secrets.
Exec into GKE node with Vault
bectl exec -it $ETCD_NODE_NAME -- /bin/sh
tcdctl --version
ctl version: 3.3.2
version: 2
Snapshot etcd keyspace
TCDCTL_API=3 etcdctl --endpoints $ENDPOINT snapshot save snapshot.db
Copy snapshot from GKE node to local machine
bectl cp $ETCD_NODE_NAME:snapshot.db /tmp/etcd_backup
CDCTL_API=3 etcdctl snapshot restore /tmp/etcd_backup/snapshot.db \
me m1 \
itial-cluster m1=http://localhost:2380 \
itial-cluster-token etcd-cluster-1 \
itial-advertise-peer-urls http://localhost:2380
tcd --version
Version: 3.3.2
SHA: GitNotFound
ersion: go1.10
S/Arch: darwin/amd64
/tmp/etcd_backup && etcd \
me m1 \
sten-client-urls http://localhost:2379 \
vertise-client-urls http://localhost:2379 \
sten-peer-urls http://localhost:2380
CDCTL_API=3 etcdctl get / --prefix --keys-only
lt/logical/$UUID/$PATH_TO_KEY
get github.com/improbable-eng/vault-kv-extract
To migrate the secret at /vault/logical/$UUID/$PATH_TO_KEY to /secret/$PATH_TO_KEY in the destination Vault
ult-kv-extract \
igin_vault_backend_name "logical/$UUID" \
stination_vault_backend_name "secret/" \
igin_vault_master_key_shares "$SHARE1 $SHARE2 $SHARE$" \
igin_vault_keys_paths $PATH_TO_KEY \
stination_vault_address $VAULT_ADDR \
stination_vault_token $VAULT_TOKEN