Hashicorp vault - 从一个 vault 导出密钥，导入另一个 vault

Question

我想从一个保管库导出密钥，然后将其导入另一个保管库。

感觉应该有一个简单的方法可以从命令行做到这一点，但我没有看到一个抽象的简单方法来做到这一点，完全导出，然后导入一个密钥。

有没有办法做到这一点？我更喜欢命令行解决方案，使用vault 脚本。

Answer 1

我们正在开发一个开源 cli 工具，它可以满足您的需求。 该工具可以在导入和导出中处理一个秘密或完整的树结构。它还支持在 Vault 实例之间的导出和导入之间对您的机密进行端到端加密。
https://github.com/jonasvinther/medusa

export VAULT_ADDR=https://192.168.86.41:8201
export VAULT_SKIP_VERIFY=true
export VAULT_TOKEN=00000000-0000-0000-0000-000000000000

./medusa export kv/path/to/secret --format="yaml" --output="my-secrets.txt"
./medusa import kv/path/to/new/secret ./my-secrets.txt

Answer 2

做到这一点的唯一方法是链接两个 vault 命令，这实际上是从第一个 vault 中读取值，然后将其写入第二个 vault。例如：

export VAULT_TOKEN=valid-token-for1
export VAULT_ADDR=https://vault1
JSON_DATA=$(vault kv get -format json -field data secret/foo)

export VAULT_TOKEN=valid-token-for2
export VAULT_ADDR=https://vault2
echo $JSON_DATA | vault kv put secret/foo -

Answer 3

将数据从一个保管库导出到另一个保管库的唯一方法是为每个键（和每个路径）单独执行此操作。我已经编写了一个小型 bash 脚本来为给定路径中的所有键自动执行此操作。

此脚本从源库中轮询每个键（针对给定路径）的数据并将其插入到目标库中。

您需要在下面的脚本中提供源和目标库的库 url、令牌和 CA 证书（用于 https 身份验证）以及路径（具有密钥）-

#! /usr/bin/env bash

source_vault_url="<source-vault-url>"
source_vault_token="<source_vault_token>"
source_vault_cert_path="<source_vault_cert_path>"

destination_vault_url="<destination_vault_url>"
destination_vault_token="<destination_vault_token>"
destination_vault_cert_path="<destination_vault_cert_path>"

# secret_path is the path from which the keys are to be exported from source vault to destination vault
secret_path="<path-without-slash>"

function _set_source_vault_env_variables() {
    export VAULT_ADDR=${source_vault_url}
    export VAULT_TOKEN=${source_vault_token}
    export VAULT_CACERT=${source_vault_cert_path}
}

function _set_destination_vault_env_variables() {
    export VAULT_ADDR=${destination_vault_url}
    export VAULT_TOKEN=${destination_vault_token}
    export VAULT_CACERT=${destination_vault_cert_path}  
}

_set_destination_vault_env_variables

printf "Enabling kv-v2 secret at the path ${secret_path} in the destination vault -\n"
vault secrets enable -path=${secret_path}/ kv-v2 || true

_set_source_vault_env_variables

# getting all the keys in the given path from source vault
keys=$(vault kv list ${secret_path}/ | sed '1,2d')

# iterating though each key in source vault (in the given path) and inserting the same into destination vault
printf "Exporting keys from source vault ${source_vault_url} at path ${secret_path}/ ... \n" 
for key in ${keys}
do

    _set_source_vault_env_variables

    key_data_json=$(vault kv get -format json -field data ${secret_path}/${key})

    printf "${key} ${key_data_json}\n"

    _set_destination_vault_env_variables

    echo ${key_data_json} | vault kv put ${secret_path}/${key} -
done

printf "Export Complete!\n" 

# listing all the keys (in the given path) in the destination vault
printf "Keys in the destination vault ${destination_vault_url} at path ${secret_path}/ -\n"
vault kv list ${secret_path}