Migrating secrets using HashiCorp Vault and safe CLI
Vault is a secret management service by HashiCorp. It is a tool that will help you in storing secrets(api keys, passwords etc) and accessing them securely. You can use Vault with a user interface as well as through CLI.
In this blog we will not be going deep into what vault is but instead will look at how we can migrate secrets from one vault to another. We can migrate secrets from the vault using the vault CLI but it can get a little complicated to do so. Therefore to make things easy we will use safe CLI which is a wrapper around Vault. It will help us in managing and migrating our secrets by using simple commands. It also helps us connect to different vault instances very quickly for migration purposes.
For more detailed information about Safe CLI go through their README.
For this demo we will migrate secrets from one vault to another. I obviously will not be using a production grade vault but spin up a local vault dev server provided by vault itself for getting familiar with vault. You can check out how to spin up a dev server here.
Before starting with safe we need to connect to the vault with secrets and the target vault and retrieve tokens. These tokens will be used by safe for authenticating.
Method to login to vault:
export VAULT_TOKEN=$(vault login -method=cert -token-only)
vault login -method=cert
Once you are logged in the vault will return a token. Save this token as It will be used by safe to login the vaults.
Install safe CLI from here. You can get the safe binaries here. If you are on a Linux machine like me you can you use this command.
Once it is installed give permission to the executable with:
chmod u+x <executable name>
You can add an alias for safe in
.bashrc for easy use of CLI.
The first step towards migration through safe will be to add vault instances in safe. Safe adds vault instances as targets.
We will first add the vault which contains our secret.
safe target <vault_address> <vault_name>
In case you want to skip tls verification pass
safe target -k <vault_address> <vault_name>
And to connect to this address we need to authenticate. The most common way to authenticate is to use a token but you can authenticate in different ways as well.
safe auth token
Once you have added the token you can check the env variables to make sure that added values are correct using:
safe env --bash
For more information on authentication and different commands please go through the safe CLI README.
Repeat the same steps to connect to the target vault to which you want to migrate your secrets to.
In case the paths for both vaults are same you can import the secrets with a single command
safe -T <target> export <path> | safe -T <target_vault> import <path>
In case the paths for both vaults are different you will need to do it manually using these steps:
safe -T <target> export <path>
This will echo the secrets. Copy them into a file and change the key value to the new path.
Import the updated secrets with new paths using the command
Safe import < ./<filename>
You can check the secret tree by pointing to wanted target
Safe tree <path>
These steps should help you complete your migration easily.
You can checkout my other blogs here.
You can also follow me on DZone.