cruepprich/manage_oci_vault_secrets.sh

## manage_oci_vault_secrets.sh
export VAULT_OCID=ocid1.vault.oc1.iad.xxx           # Edit as needed
export COMPARTMENT_OCID=ocid1.compartment.oc1..xxx  # Edit as needed
export KEY_OCID=ocid1.key.oc1.iad.xxx               # Edit as needed
export PASSWORD=$(openssl rand -base64 32 | base64) # See http://bit.ly/gen-pwd
export SECRET_NAME="my_secret-demo"
export VAULT_USER_PROFILE="VAULT_USER"              # OCI CLI Profile

# See a list of vaults in a compartment
oci kms management vault list \
    --profile $VAULT_USER_PROFILE \
    -c $COMPARTMENT_OCID \
    --query "data[].{id:id,state:\"lifecycle-state\",name:\"display-name\"}" \
    --output table

# Example Output
+------------------------+------------+--------+
| id                     | name       | state  |
+------------------------+------------+--------+
| ocid1.vault.oc1.phx.xxx| my-vault   | ACTIVE |
+------------------------+------------+--------+

# Create secret
oci vault secret create-base64 \
    --profile $VAULT_USER_PROFILE \
    -c $COMPARTMENT_OCID \
    --secret-name $SECRET_NAME \
    --vault-id $VAULT_OCID \
    --key-id $KEY_OCID \
    --secret-content-content $PASSWORD

# Get secret ocid
export SECRET_OCID=$(oci vault secret list --raw-output --query "data[?\"secret-name\" == '$SECRET_NAME'].id | [0]")

# List secret versions
oci secrets secret-bundle-version list-versions \
    --profile $VAULT_USER_PROFILE \
    --all \
    --secret-id $SECRET_OCID \
    --query "data[].{\"version-number\":\"version-number\",\"stages\":\"stages\"}" \
    --output table

# Example Output
+-----------------------+----------------+
| stages                | version-number |
+-----------------------+----------------+
| ['CURRENT', 'LATEST'] | 6              |
| ['PREVIOUS']          | 5              |
| ['DEPRECATED']        | 4              |
| ['DEPRECATED']        | 3              |
| ['DEPRECATED']        | 2              |
| ['DEPRECATED']        | 1              |
+-----------------------+----------------+


# Get secret decoded text
oci secrets secret-bundle get \
    --profile $VAULT_USER_PROFILE \
    --raw-output \
    --secret-id $SECRET_OCID \
    --query "data.\"secret-bundle-content\".content" | base64 -D


# Get secret decoded text for prior version
oci secrets secret-bundle get \
    --profile $VAULT_USER_PROFILE \
    --raw-output \
    --version-number 1 \
    --secret-id $SECRET_OCID \
    --query "data.\"secret-bundle-content\".content" | base64 -D


# Update a secret
oci vault secret update-base64 \
    --profile $VAULT_USER_PROFILE \
    --secret-id $SECRET_OCID \
    --force \
    --secret-content-content $(openssl rand -base64 32 | base64)


# Delete a secret. Time must be at least 24 hours in the future
oci vault secret schedule-secret-deletion \
    --secret-id $SECRET_OCID \
    --time-of-deletion 2020-09-03T10:20-0600


# Cancel secret deletion
oci vault secret cancel-secret-deletion \
    --secret-id $SECRET_OCID


# List secrets
oci vault secret list \
    --profile $VAULT_USER_PROFILE \
    -c $COMPARTMENT_OCID \
    --query "data[].{id:id,\"secret-name\":\"secret-name\",state:\"lifecycle-state\",\"time-of-deletion\":\"time-of-deletion\"}" \
    --output table

# Example Output
+-------------------------------+----------------+------------------+---------------------------+
| ocid1.vaultsecret.oc1.iad.xxx | secret5        | ACTIVE           | None                      |
| ocid1.vaultsecret.oc1.iad.xxx | secret4        | PENDING_DELETION | 2020-09-03T16:20:00+00:00 |
| ocid1.vaultsecret.oc1.iad.xxx | my_secret      | ACTIVE           | None                      |
| ocid1.vaultsecret.oc1.iad.xxx | cmr-secret3    | ACTIVE           | None                      |
| ocid1.vaultsecret.oc1.iad.xxx | cmr-secret1    | ACTIVE           | None                      |
| ocid1.vaultsecret.oc1.iad.xxx | cmr-apache-pvt | ACTIVE           | None                      |
| ocid1.vaultsecret.oc1.iad.xxx | cat_manga      | ACTIVE           | None                      |
+-------------------------------+----------------+------------------+---------------------------+
	export VAULT_OCID=ocid1.vault.oc1.iad.xxx # Edit as needed
	export COMPARTMENT_OCID=ocid1.compartment.oc1..xxx # Edit as needed
	export KEY_OCID=ocid1.key.oc1.iad.xxx # Edit as needed
	export PASSWORD=$(openssl rand -base64 32 \| base64) # See http://bit.ly/gen-pwd
	export SECRET_NAME="my_secret-demo"
	export VAULT_USER_PROFILE="VAULT_USER" # OCI CLI Profile

	# See a list of vaults in a compartment
	oci kms management vault list \
	--profile $VAULT_USER_PROFILE \
	-c $COMPARTMENT_OCID \
	--query "data[].{id:id,state:\"lifecycle-state\",name:\"display-name\"}" \
	--output table

	# Example Output
	+------------------------+------------+--------+
	\| id \| name \| state \|
	+------------------------+------------+--------+
	\| ocid1.vault.oc1.phx.xxx\| my-vault \| ACTIVE \|
	+------------------------+------------+--------+

	# Create secret
	oci vault secret create-base64 \
	--profile $VAULT_USER_PROFILE \
	-c $COMPARTMENT_OCID \
	--secret-name $SECRET_NAME \
	--vault-id $VAULT_OCID \
	--key-id $KEY_OCID \
	--secret-content-content $PASSWORD

	# Get secret ocid
	export SECRET_OCID=$(oci vault secret list --raw-output --query "data[?\"secret-name\" == '$SECRET_NAME'].id \| [0]")

	# List secret versions
	oci secrets secret-bundle-version list-versions \
	--profile $VAULT_USER_PROFILE \
	--all \
	--secret-id $SECRET_OCID \
	--query "data[].{\"version-number\":\"version-number\",\"stages\":\"stages\"}" \
	--output table

	# Example Output
	+-----------------------+----------------+
	\| stages \| version-number \|
	+-----------------------+----------------+
	\| ['CURRENT', 'LATEST'] \| 6 \|
	\| ['PREVIOUS'] \| 5 \|
	\| ['DEPRECATED'] \| 4 \|
	\| ['DEPRECATED'] \| 3 \|
	\| ['DEPRECATED'] \| 2 \|
	\| ['DEPRECATED'] \| 1 \|
	+-----------------------+----------------+


	# Get secret decoded text
	oci secrets secret-bundle get \
	--profile $VAULT_USER_PROFILE \
	--raw-output \
	--secret-id $SECRET_OCID \
	--query "data.\"secret-bundle-content\".content" \| base64 -D


	# Get secret decoded text for prior version
	oci secrets secret-bundle get \
	--profile $VAULT_USER_PROFILE \
	--raw-output \
	--version-number 1 \
	--secret-id $SECRET_OCID \
	--query "data.\"secret-bundle-content\".content" \| base64 -D


	# Update a secret
	oci vault secret update-base64 \
	--profile $VAULT_USER_PROFILE \
	--secret-id $SECRET_OCID \
	--force \
	--secret-content-content $(openssl rand -base64 32 \| base64)


	# Delete a secret. Time must be at least 24 hours in the future
	oci vault secret schedule-secret-deletion \
	--secret-id $SECRET_OCID \
	--time-of-deletion 2020-09-03T10:20-0600


	# Cancel secret deletion
	oci vault secret cancel-secret-deletion \
	--secret-id $SECRET_OCID


	# List secrets
	oci vault secret list \
	--profile $VAULT_USER_PROFILE \
	-c $COMPARTMENT_OCID \
	--query "data[].{id:id,\"secret-name\":\"secret-name\",state:\"lifecycle-state\",\"time-of-deletion\":\"time-of-deletion\"}" \
	--output table

	# Example Output
	+-------------------------------+----------------+------------------+---------------------------+
	\| ocid1.vaultsecret.oc1.iad.xxx \| secret5 \| ACTIVE \| None \|
	\| ocid1.vaultsecret.oc1.iad.xxx \| secret4 \| PENDING_DELETION \| 2020-09-03T16:20:00+00:00 \|
	\| ocid1.vaultsecret.oc1.iad.xxx \| my_secret \| ACTIVE \| None \|
	\| ocid1.vaultsecret.oc1.iad.xxx \| cmr-secret3 \| ACTIVE \| None \|
	\| ocid1.vaultsecret.oc1.iad.xxx \| cmr-secret1 \| ACTIVE \| None \|
	\| ocid1.vaultsecret.oc1.iad.xxx \| cmr-apache-pvt \| ACTIVE \| None \|
	\| ocid1.vaultsecret.oc1.iad.xxx \| cat_manga \| ACTIVE \| None \|
	+-------------------------------+----------------+------------------+---------------------------+