This tool is a wrapper on top of Azure KeyVault. The idea behind it is to provide various automations around it. Please note that this package only works with secrets and not with any other types.
- Able to manage secrets and their attributes via a single file
- Easy update of secrets and preserving their attributes
- Fetch and expose secrets to you CI/CD or any other environment
- Replace secrets from template files directly on your machine
- Easy dump of secrets to migrate to a Vault in different subscription
- Direct migration of secrets between vaults
- Filtering per tags
- Secret expiration hooks
- Handle different secret types
- Adding additional providers like AWS, GCP, etc.
- Migration & Syncronisation between providers
- Internal
usecasebased vaults for easier permission managment - Run in daemon mode for automations
The credentials are taken as DefaultAzureCredential, so valid credentials which are provided should work out of the box. To find out the order of which credentials will be used, please check the Microsoft Documentation.
usage: vaultm [-h] [--log-level LOG_LEVEL] [--config CONFIG] {expose,template,validate,update,dump,finder} ...
usage: pcvm [-h] [--log-level LOG_LEVEL] [--config CONFIG] {expose,template,validate,update,dump,finder} ...
A tool for managing Vault entries.
positional arguments:
{expose,template,validate,update,dump,finder}
Available commands
expose Exposes KeyVault entries.
template Replaces entries in template file.
validate Validate KeyVault entries.
update Update KeyVault entries.
dump Dump KeyVault entries.
finder Find KeyVault entries.
options:
-h, --help show this help message and exit
--log-level LOG_LEVEL
Enable verbose output.
--config CONFIG Specify the config file.
Global Flags:
--config <path to config file>
--log-level <DEBUG/INFO/WARNING/ERROR by default it is INFO>
By default the tool will look for the config.yaml file in path ./config.yaml. This can be easily overwritten using the global flag --config <path>
Syntax:
config:
vault_name: example-kv <String: KeyVault Name>
disable_old_version: False <Bool: True/False>
secrets: <List: list of yaml objects>
- name: example-name <String: Name for the secret>
value: asufhasiufhiashfd <String: secret value for the secret>
description: cool token for system A <String: in KeyVault terms that will be the content-type>
expire: 2025/04/24 <Date: format is year/month/day yyyy/mm/dd >
tags: <List: list of key/value tag pairs for the secret>
user: yoghurtpower <Key/Value: "user" will the key and "yoghurtpower" the value >
For now the Vault name is taken from the config file. If don't wish to store the origin of the secrets, but still use the tool simply set secrets: [].
Update command does several syncronization operations at the same time. As a source it will be used the secrets in the config file and target is the configured vault. Operations:
- Updates the values of all secrets if they are changed (New version is created if value is changed)
- Updates tags, descriptions, expiration date
- If there is a secret in the file, but not present in the vault it will be created
Examples:
vaultm update
vaultm --config ./my-secrets.yaml update
Exposes secret for bash export format. Useful if you store your CICD secrets in KeyVault and want to access them as ENV. All - in the secret name will be replaced with _ and also a prefix of VAULT_ will be added:
Command: vaultm expose --secrets mysql-password
Output: export VAULT_MYSQL_PASSWORD=aiuh52uweuibgisbgdbsdf
Within a Pipeline: eval $(vaultm expose --secrets all)
Flags:
--secrets SECRETS (Specify the secrets to be exposed).
Examples:
vaultm expose --secrets all
vaultm expose --secrets mysql-password,mysql-username
Does a copy of all secrets from the source vault to the target vault. This includes name, value, tags and description(content-type), please not that only the latest active version will be migrated.
Flags:
--source SOURCE Specify the source vault
--target TARGET Specify the target vault
Examples:
vaultm migrate --source origin-kv-001 --target secondary-kv-002
Used for creating files with secrets injected based on template files. The templater looks for the following syntax "{{ secret-name-as-in-the-vault }}" and replaces it with the currect active version. Multiple secrets can be replaced in the same file and the command works very similar like "sed" in Linux. In case the secret is not found in the vault an error will be printed and the placeholder for the secret will not be replaced.
Flags:
--input (path to template file)
--output (path to destination file)
Examples:
vaultm template --input ./template.toml.j2 --output ./settings.toml.j2
Does a yaml validation for the secrets in the config file and if all of the fields are present.
Examples:
vaultm validate
vaultm --config ./my-secrets.yaml validate
Useful when finding which secrets are present in the secrets config file and which were manually added to the vault.
Examples:
vaultm finder
vaultm --config ./my-secrets.yaml finder
Simply dumps all the conntent of a keyvault in a vault manager yaml config format. This also includes the value of the secrets. Please not that only the current version is taken for the value and older versions are not dumped.
Examples:
vaultm dump
This package is developed by Accedia JSC and can be used free without charge.(For more information please check the provided License file)
In case you need an enterprise assistance you can reach out to us Accedia Contact us