-
-
Save avoidik/c2f77e8f1afa38d20723a46a88b833d2 to your computer and use it in GitHub Desktop.
explore recursively your vault by HashiCorp
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env bash | |
function walk() { | |
for secret in $(vault list $1 | tail -n +3) | |
do | |
if [[ ${secret} == *"/" ]] ; then | |
walk "${1}${secret}" | |
else | |
echo "${1}${secret}" | |
fi | |
done | |
} | |
query="${1}" | |
if [[ ${query} != *"/" ]] ; then | |
query=${query}/ | |
fi | |
echo "${1}" | |
walk ${query} |
import hvac
vlt = hvac.Client(url='http://127.0.0.1:8200', token='supersecretsquirrel')
def enum_vault(path=['secret/']):
stuff = vlt.list("".join(path))
try:
keys = stuff['data']['keys']
except TypeError:
keys = []
for k in keys:
if k.endswith('/'):
path.append(str(k))
enum_vault(path)
path.pop()
else:
pathstr = "".join(path) + str(k)
print(pathstr + " ==> " + str(vlt.read(pathstr)['data']))
enum_vault()
vault read -format=json sys/mounts | jq -r '.data | with_entries(select(.value.type=="kv")) | map_values(.type)'
#
vault read -format=json sys/mounts | jq -r '.data | with_entries(select(.key|match("secret"))) | map_values(.options)'
# same for secrets
vault read -format=json sys/mounts | jq -r '.data | with_entries(select(.value.type=="aws")) | map_values(.type)'
# same for auth
vault read -format=json sys/auth | jq -r '.data | with_entries(select(.value.type=="aws")) | map_values(.type)'
# get all AWS access-keys associated with Vault AWS secrets
for item in $(vault read -format=json sys/mounts | jq -r '.data | with_entries(select(.value.type=="aws")) | keys[]'); do
vault read -format=json $item/config/root | jq -r '.data.access_key'
done
# get all AWS access-keys associated with Vault AWS auth
for item in $(vault read -format=json sys/auth | jq -r '.data | with_entries(select(.value.type=="aws")) | keys[]'); do
vault read -format=json auth/$item/config/client | jq -r '.data.access_key'
done
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
https://github.com/Mykolaichenko/vaulter
https://github.com/xuwang/vault-scripts