Skip to content

Instantly share code, notes, and snippets.

@avoidik

avoidik/vault-tree

Forked from mazenovi/vault-tree
Created June 18, 2019 10:36
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save avoidik/c2f77e8f1afa38d20723a46a88b833d2 to your computer and use it in GitHub Desktop.
Save avoidik/c2f77e8f1afa38d20723a46a88b833d2 to your computer and use it in GitHub Desktop.
Download ZIP
explore recursively your vault by HashiCorp
Raw
vault-tree
#!/usr/bin/env bash
function walk() {
for secret in $(vault list $1 | tail -n +3)
do
if [[ ${secret} == *"/" ]] ; then
walk "${1}${secret}"
else
echo "${1}${secret}"
fi
done
}
query="${1}"
if [[ ${query} != *"/" ]] ; then
query=${query}/
fi
echo "${1}"
walk ${query}
@avoidik
Copy link
Author

avoidik commented Jun 18, 2019
edited

https://github.com/Mykolaichenko/vaulter
https://github.com/xuwang/vault-scripts

@avoidik
Copy link
Author

avoidik commented Jun 18, 2019
edited 

import hvac

vlt = hvac.Client(url='http://127.0.0.1:8200', token='supersecretsquirrel')

def enum_vault(path=['secret/']):
  stuff = vlt.list("".join(path))
  try:
    keys = stuff['data']['keys']
  except TypeError:
    keys = []
  for k in keys:
    if k.endswith('/'):
      path.append(str(k))
      enum_vault(path)
      path.pop()
    else:
      pathstr = "".join(path) + str(k)
      print(pathstr + "  ==>  " + str(vlt.read(pathstr)['data']))

enum_vault()

hashicorp/vault#2142

@avoidik
Copy link
Author

avoidik commented Jun 18, 2019
edited 

vault read -format=json sys/mounts | jq -r '.data | with_entries(select(.value.type=="kv")) | map_values(.type)'
#
vault read -format=json sys/mounts | jq -r '.data | with_entries(select(.key|match("secret"))) | map_values(.options)'

@avoidik
Copy link
Author

avoidik commented Aug 2, 2021 

# same for secrets
vault read -format=json sys/mounts | jq -r '.data | with_entries(select(.value.type=="aws")) | map_values(.type)'
# same for auth
vault read -format=json sys/auth | jq -r '.data | with_entries(select(.value.type=="aws")) | map_values(.type)'

@avoidik
Copy link
Author

avoidik commented Aug 2, 2021 

# get all AWS access-keys associated with Vault AWS secrets
for item in $(vault read -format=json sys/mounts | jq -r '.data | with_entries(select(.value.type=="aws")) | keys[]'); do
  vault read -format=json $item/config/root | jq -r '.data.access_key'
done
# get all AWS access-keys associated with Vault AWS auth
for item in $(vault read -format=json sys/auth | jq -r '.data | with_entries(select(.value.type=="aws")) | keys[]'); do
  vault read -format=json auth/$item/config/client | jq -r '.data.access_key'
done

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment