vault patch

[ewjoachim]

$ vault patch /etc/someprogram/conf.py "^ +api_token: ?(.*)$" some/path [key]

Will read the following file:

[someprogram]
    url: someprogram.example.com
    api_token: old token

and will read the secret at some/path (say, new token) and rewrite the file as follow:

[someprogram]
    url: someprogram.example.com
    api_token: new token

For now we do not plan to have multiple replacements or handle templates. Maybe someday. Meanwhile, a templated secret can be used as an intermediate step to do that.

[ewjoachim]

This would encourage writing secrets on the disk, and is hard to combine with a TemporaryFileSystem solution. I'm not sure it's a good idea (let's wait until we really need it)