vault-cli
: 12-factor oriented command line tool for Hashicorp Vault¶
vault-cli
is a Python 3.6+ tool that offers simple interactions to manipulate
secrets from Hashicorp Vault. With vault-cli
, your secrets can be kept secret,
while following 12-factor principles.
Some features¶
Configure once, use everywhere thanks to cascading (local, user, global) YAML configuration file
Read, browse, write, move, delete secrets easily
Read multiple secrets at once, as YAML
Launch processes with your secrets as environment variables
Launch processes with
ssh-agent
configured from your vaultWrite templated files with secrets inside
vault-cli
tries to make accessing secrets both secure and painless.
Showcase¶
Here are a few things you might do with vault-cli
:
$ # Install:
$ pip install vault-cli
$ # Write a secret:
$ vault-cli set mysecret mykey --prompt
Please enter a value for key `mykey` of `mysecret`: *******
$ # Read a secret:
$ vault-cli get mysecret mykey
ohsosecret
$ # Load a secret into the environment variables:
$ vault-cli env --envvar mysecret -- env | grep MYSECRET
MYSECRET_MYKEY=ohsosecret
$ # Load an ssh key into your ssh-agent:
$ vault-cli ssh --key ssh_private_key -- ssh -T git@github.com
Hi <username>! You've successfully authenticated, but GitHub does not provide shell access.
State¶
The package is young but supported and alive. We’re mindful of deprecations through semantic versionning and accepting bug reports and feature requests.
In action¶
$ vault-cli --help
Usage: vault-cli [OPTIONS] COMMAND [ARGS]...
Interact with a Vault. See subcommands for details.
All arguments can be passed by environment variables:
VAULT_CLI_UPPERCASE_NAME (including VAULT_CLI_PASSWORD and VAULT_CLI_TOKEN).
Options:
-U, --url TEXT URL of the vault instance
--verify / --no-verify Verify HTTPS certificate
--ca-bundle PATH Location of the bundle containing the server
certificate to check against.
--login-cert PATH Path to a public client certificate to use
for connecting to vault.
--login-cert-key PATH Path to a private client certificate to use
for connecting to vault.
-T, --token-file PATH File which contains the token to connect to
Vault. Configuration file can also contain a
"token" key.
-u, --username TEXT Username used for userpass authentication
-w, --password-file PATH Can read from stdin if "-" is used as
parameter. Configuration file can also
contain a "password" key.
-b, --base-path TEXT Base path for requests
-s, --safe-write / --unsafe-write
When activated, you can't overwrite a secret
without passing "--force" (in commands
"set", "mv", "cp", etc)
--render / --no-render Deprecated / unused
--umask TEXT Set umask for newly created files. Defaults
to files with read-write for owner and
nothing for group & others
-v, --verbose Use multiple times to increase verbosity
--config-file PATH Config file to use. Use 'no' to disable
config file. Default value: first of
./vault.yml, ~/.vault.yml, /etc/vault.yml
-V, --version
-h, --help Show this message and exit.
Commands:
cp Recursively copy secrets from source to destination path.
delete Delete a single secret.
delete-all Delete multiple secrets.
dump-config Display settings in the format of a config file.
env Write secrets to disk, load secrets in environment...
get Return a single secret value.
get-all Return multiple secrets.
list List all the secrets at the given path.
lookup-token Return information regarding the current token
mv Recursively move secrets from source to destination path.
set Set a secret.
set-all Set multiple secrets at once from a yaml mapping.
ssh Launch a command, with a configured ssh-agent running.
template Render the given template and insert secrets in it.
Table of contents¶
- Quickstart
- How-to…
- Configure
vault-cli
- Authenticate against the vault
- Read secrets from the vault
- Write secrets into the vault
- Launch a process with your secrets as environment variables
- Render templated files with secrets
- Use an SSH private key without writing it on the disk
- Integrate with SystemD
- Reorganize the content of the vault
- Access a special folder easily
- Control permissions of newly created files
- Avoid overwriting secrets by accident
- Interact with a secret that starts with a dash
- Move secrets from a Vault cluster to a different Vault cluster
- Use
vault_cli
inside a Python program - Use
vault-cli
in your tests - Troubleshoot your problems
- Get information on your current token
- Upgrade
vault-cli
from previous version
- Configure
- Discussions
- API Reference
- Glossary
- Contributing
- Changelog