Migrating secrets using HashiCorp Vault and safe CLI

Vault is a secret management service by HashiCorp. It is a tool that will help you in storing secrets(api keys, passwords etc) and accessing them securely. You can use Vault with a user interface as well as through CLI.

In this blog we will not be going deep into what vault is but instead will look at how we can migrate secrets from one vault to another. We can migrate secrets from the vault using the vault CLI but it can get a little complicated to do so. Therefore to make things easy we will use safe CLI which is a wrapper around Vault. It will help us in managing and migrating our secrets by using simple commands. It also helps us connect to different vault instances very quickly for migration purposes.

For more detailed information about Safe CLI go through their README.

For this demo we will migrate secrets from one vault to another. I obviously will not be using a production grade vault but spin up a local vault dev server provided by vault itself for getting familiar with vault. You can check out how to spin up a dev server here.

Before starting with safe we need to connect to the vault with secrets and the target vault and retrieve tokens. These tokens will be used by safe for authenticating.

Method to login to vault:

export VAULT_ADDR=<vault_url>
export VAULT_SKIP_VERIFY=<true/false>
export VAULT_CLIENT_CERT=<vault_client_cert_path>
export VAULT_CLIENT_KEY=<vault_client_key_path>
export VAULT_CA_CERT=<vault_ca_cert_path>
export VAULT_TOKEN=$(vault login -method=cert -token-only)
vault login -method=cert

Once you are logged in the vault will return a token. Save this token as It will be used by safe to login the vaults.

Install safe CLI from here. You can get the safe binaries here. If you are on a Linux machine like me you can you use this command.

wget  https://github.com/starkandwayne/safe/releases/tag/v1.6.1

Once it is installed give permission to the executable with:

chmod u+x <executable name>

You can add an alias for safe in .bashrc for easy use of CLI.

The first step towards migration through safe will be to add vault instances in safe. Safe adds vault instances as targets.

We will first add the vault which contains our secret.

safe target <vault_address> <vault_name>

In case you want to skip tls verification pass -k:

safe target -k <vault_address> <vault_name>

And to connect to this address we need to authenticate. The most common way to authenticate is to use a token but you can authenticate in different ways as well.

safe auth token

Once you have added the token you can check the env variables to make sure that added values are correct using:

safe env --bash

For more information on authentication and different commands please go through the safe CLI README.

Repeat the same steps to connect to the target vault to which you want to migrate your secrets to.

Migrating secrets

In case the paths for both vaults are same you can import the secrets with a single command

safe -T <target> export <path> | safe -T <target_vault> import <path>

In case the paths for both vaults are different you will need to do it manually using these steps:

safe -T <target> export <path>

This will echo the secrets. Copy them into a file and change the key value to the new path.

Import the updated secrets with new paths using the command

Safe import < ./<filename>

You can check the secret tree by pointing to wanted target

Safe tree <path>

These steps should help you complete your migration easily.

You can checkout my other blogs here.

You can also follow me on DZone.




I drink and I know things or maybe not know things. I don't know or do I?

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

mattress 3 https://t.co/fUr6vUB0Uh

How to Use Custom Font Google Fonts in Flutter

TryhackMe-Windows Fundamentals 1

CAP Theorem!

PE1 Individual Journey Week2

Development Step 9: Dispatch function & Multiple Device Support

Mac application internals for Windows developer: Part 1.

Autonomy of Things

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Upanshu Chaudhary

Upanshu Chaudhary

I drink and I know things or maybe not know things. I don't know or do I?

More from Medium

How to Configure GitHub Environments with Terraform?

GitHub and Terraform for Environnement Provisioning and deployment

Distributed Ansible

K8s — Ingress Demo in AWS EKS

Docker Monitoring Stack with Grafana