Skip to content

Instantly share code, notes, and snippets.

@zetta

zetta/README.md

Created March 18, 2019 10:54
Show Gist options
  • Save zetta/1ea0a0e0622fa4981e50385ad891b0de to your computer and use it in GitHub Desktop.
Save zetta/1ea0a0e0622fa4981e50385ad891b0de to your computer and use it in GitHub Desktop.
Download ZIP
Vault import / export
Raw
README.md

PHackup

Usage

export [path] [version]

 path      path where the secrets are stored, usually secret
 version   version number of the kv backend mounted in that path

Will generate a json file named like the path provided

import [path]

 path      path where the secrets are stored, usually secret

Assumes there's a file called like the provided path with json extension

Export

php export.php config 2  # exports all secrets in a file called config.json
php export.php secret 2
php export.php private 1

Import

php import.php secret # exports all secrets from a file called import.json
Raw
export.php
<?php
$token = file_get_contents("/root/.vault-token");
$path = $argv[1];
$v = $argv[2];
function call($command, $echo=true)
{
if ($echo) {
echo $command, "\n";
}
$return = [];
exec($command, $return);
return implode("\n", $return);
}
function vault($path, $method = 'GET')
{
global $token;
$command = "curl -qs -X $method -H 'x-vault-token: $token' http://localhost:8282/v1/$path";
return json_decode(call($command), true);
}
function get_secret($path, $v) {
if ($v == 2) {
$path = str_replace('/metadata/','/data/', $path);
return vault($path)['data']['data'];
} else {
return vault($path)['data'];
}
}
function find_secrets($path, $v)
{
$secrets = [];
$list = vault($path,'LIST');
foreach($list['data']['keys'] as $key) {
if ($key == 'tomcat.keystore2014') { # not handling binary files
continue;
}
if (substr($key, -1) == '/') {
$secrets += find_secrets($path.$key, $v);
} else {
$secrets[$path.$key] = get_secret($path.$key, $v);
}
}
return $secrets;
}
$secrets = find_secrets($path.'/'.($v == 2 ? 'metadata/' : ''), $v);
file_put_contents($path.'.json', json_encode($secrets));
Raw
import.php
<?php
$token = file_get_contents("/root/.vault-token");
$name = $argv[1];
foreach (json_decode(file_get_contents($name.'.json')) as $key => $value) {
$key = str_replace('/metadata/', '/data/', $key);
$value = ['data' => $value];
$json = json_encode($value);
file_put_contents('____temp.json', $json);
$response = vault($key, 'POST', "--data @____temp.json");
echo $key,":", json_encode($response), "\n";
}
function call($command, $echo=true)
{
if ($echo) {
echo $command, "\n";
}
$return = [];
exec($command, $return);
return implode("\n", $return);
}
function vault($path, $method = 'GET', $args = '')
{
global $token;
$command = "curl -qs -X $method -H 'x-vault-token: $token' http://localhost:8282/v1/$path ". $args;
return json_decode(call($command), true);
}
@Kyslik
Copy link

Kyslik commented Dec 9, 2019

One can use:

vault kv list secret/path |
  while IFS= read -r line
  do
    vault kv get secret/path"$line" > "$line".txt
  done

@zetta
Copy link
Author

zetta commented Dec 17, 2019

the php version one works recursively too 😁

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment