Written by
Jamie Tanna
on
CC-BY-NC-SA-4.0 Apache-2.0
1 mins
π€ This post includes some LLM-derived content π€
on
CC-BY-NC-SA-4.0 Apache-2.0
1 mins
π€ This post includes some LLM-derived content π€
Migrating secrets between two Vault instances
I've got a number of secrets I need to move across two Vault instances, which could be done manually, but I wanted to try and simplify with a lil' bit of automation.
As a starting point, I asked GPT-4o (via Copilot) which set me on the right track of being able to vault kv put ... @file.json, if the file.json is correctly set up.
With this in mind, I then wrote the following script:
SOURCE_VAULT_ADDR=https://vault-one.example.com
SOURCE_VAULT_PREFIX=kv/shared/all-applications
TARGET_VAULT_ADDR=https://vault-one.example.localhost
TARGET_VAULT_PREFIX=kv/some/other/path
for secret in "admin_creds" "docker_registry" "vendor_api_key"; do
out="$(mktemp)"
# NOTE that if you want to use a source Vault with a non-KV engine, you'll need to amend this
env VAULT_ADDR="$SOURCE_VAULT_ADDR" VAULT_TOKEN="$SOURCE_VAULT_TOKEN" vault kv get -format=json -field=data "$SOURCE_VAULT_PREFIX/$secret" > "$out"
# NOTE that if you want to use a target Vault with a non-KV engine, you'll need to amend this
env VAULT_ADDR="$TARGET_VAULT_ADDR" VAULT_TOKEN="$TARGET_VAULT_TOKEN" vault kv put "$TARGET_VAULT_PREFIX/$secret" @"$out"
# and make sure we delete the plaintext secrets
shred "$out"
rm "$out"
done
This would then allow being run like so:
env SOURCE_VAULT_TOKEN=hvs.xxxx TARGET_VAULT_TOKEN=hvs.xxxx ./mv-secrets.sh
This then writes them into the new locations π
