vkv
is a little CLI tool written in Go, which enables you to list, compare, import, document, backup & encrypt secrets from a HashiCorp Vault KV-v2 engine:
- recursively print secrets of any KVv2 Engine in
json
,yaml
,markdown
and other formats - engine export shows the secret version as well as its custom metadata
- customize the output (show only-keys, only-paths, mask/unmask secrets) via flags or environment
- print the CRUD-capabilities of the authenticated token for each KV-path (format:
policy
) - print secrets in
export <key>=<value>
format for variable exporting (format:export
) - import secrets back to Vault from
vkv
'sjson
oryaml
format - save and restore KVv2 snapshots (including namespaces) and running on kubernetes
- list all engines or namespaces for scripting purposes
- handy snippets for managing KVv2 engines using
fzf
,sops
&diff
Checkout the Quickstart Guide to learn more about vkv
# Installation
curl -OL https://github.com/FalcoSuessgott/vkv/releases/latest/download/vkv_0.2.2_$(uname)_$(uname -m).tar.gz
tar xzf vkv_0.2.2_Linux_x86_64.tar.gz
chmod u+x vkv
./vkv version
vkv 0.2.2
# set required env vars
export VAULT_ADDR=https://vault-server:8200
export VAULT_TOKEN=<your-vault-token>
# verify connection
vault status
Key Value
--- -----
Seal Type shamir
Initialized true
Sealed false
Total Shares 1
Threshold 1
Version 1.12.1
Build Date 2022-10-27T12:32:05Z
Storage Type inmem
Cluster Name vault-cluster-ffd05212
Cluster ID 42ef92d5-eb21-0cb5-dd0b-804dac04e505
HA Enabled false
# list secrets recursively of a KVv2 engine
vkv export --path <KVv2-engine path>
secret/
├── v1: admin [key=value] # v1 -> secret version; "admin" -> secrets name; "[key=value]" -> secrets custom metadata
│ └── sub=******** # "sub" -> key; "*****" -> masked value (disable with --show-values)
├── v1: demo
│ └── foo=***
└── sub/
├── v1: demo
│ ├── demo=***********
│ ├── password=******
│ └── user=*****
└── sub2
└── v2: demo [admin=false key=value]
├── admin=***
├── foo=***
├── password=********
└── user=****