search

kir4h / rvault

Small tool to perform some recursive operations on Hashicorp's Vault KV
MIT License
46 stars 11 forks source link

Export all secrects only with key but without value #6

Closed syy6 closed 2 years ago

syy6 commented 2 years ago

With rvault read secret, we can export all the secrets. But if it's possible to only export the keys without values? Thanks!

kir4h commented 2 years ago

You should be able to use the list command (https://github.com/kir4h/rvault#list) to list the keys without values.

To export from the root path and the secret engine:

rvault list secret -v=0

syy6 commented 2 years ago

Hi @kir4h, Thanks a lot for your quick reponse, but actually, my req. is a bit difference here. E.g. in vault, I have a secret engine named as "abc". Then inside this engine, there is some key as efg/hij. Then under this efg/hij, there is some key as klm, opq and etc. Or say, under efg/hik this secrets, there are some line items. I hope to list all the keys and line itmes, but dosn't show the values. Maybe below image can help to explain. image Thanks a lot! BR, Yongyuan

kir4h commented 2 years ago

Sorry @syy6 , I was using bad naming and stating keys instead of secrets (rvault currently lists secrets, and read reads key and value items for each secret).

This is something not currently supported in rvault. It could be implemented by filtering what gets exported (instead of key:value just key), shouldn't be too hard. What is the use case? Asking because this approach would require the same privileges, as values are read but discarded later.

In the meantime, if it's only about having a clean export without the values you might want to use jq for filtering out. Depending on your ultimate goal you can fine tune jq expression or add additional pipes

Given

image

$ rvault read secret -v=0 -f json | jq '.| map_values(keys)'
{
  "/andalucia/almeria/ssh.key": [
    "value"
  ]
}
syy6 commented 2 years ago

Thanks a lot! @kir4h The jq method works well! The scenario is really a bit tricky, simply speaking, we have two systems (same codeline) which are isolated and operated by two groups of people, they hope to take reference of each other, so they need to compare the content in vault, but the crendentials in vault should be kept invisible to each other.

kir4h commented 2 years ago

Glad to hear it worked. As long as you are just handing the result to the other team but that you can run it with enough priviledges this should be fine.

I think since there is a simple solution using jq it's not worth it adding it into the tool, I'm closing the issue.