vkv is a little CLI tool written in Go, which enables you to list, compare, import, document, backup & encrypt secrets from a HashiCorp Vault KV-v2 engine:
Features
recursively print secrets of any KVv2 Engine in json, yaml, markdown and other formats
engine export shows the secret version as well as its custom metadata
customize the output (show only-keys, only-paths, mask/unmask secrets) via flags or environment
print the CRUD-capabilities of the authenticated token for each KV-path (format: policy)
print secrets in export <key>=<value> format for variable exporting (format: export)
import secrets back to Vault from vkv's json or yaml format
save and restore KVv2 snapshots (including namespaces) and running on kubernetes
list all engines or namespaces for scripting purposes
handy snippets for managing KVv2 engines using fzf, sops & diff
Checkout the Quickstart Guide to learn more about vkv
Quickstart
# Installation
curl -OL https://github.com/FalcoSuessgott/vkv/releases/latest/download/vkv_0.2.1_$(uname)_$(uname -m).tar.gz
tar xzf vkv_0.2.1_Linux_x86_64.tar.gz
chmod u+x vkv
./vkv version
vkv 0.2.1
# set required env vars
export VAULT_ADDR=https://vault-server:8200
export VAULT_TOKEN=<your-vault-token>
# verify connection
vault status
Key Value
--- -----
Seal Type shamir
Initialized true
Sealed false
Total Shares 1
Threshold 1
Version 1.12.1
Build Date 2022-10-27T12:32:05Z
Storage Type inmem
Cluster Name vault-cluster-ffd05212
Cluster ID 42ef92d5-eb21-0cb5-dd0b-804dac04e505
HA Enabled false
# list secrets recursively of a KVv2 engine
vkv export --path <KVv2-engine path>
secret/
├── v1: admin [key=value] # v1 -> secret version; "admin" -> secrets name; "[key=value]" -> secrets custom metadata
│ └── sub=******** # "sub" -> key; "*****" -> masked value (disable with --show-values)
├── v1: demo
│ └── foo=***
└── sub/
├── v1: demo
│ ├── demo=***********
│ ├── password=******
│ └── user=*****
└── sub2
└── v2: demo [admin=false key=value]
├── admin=***
├── foo=***
├── password=********
└── user=****