-
-
Save stenio123/fa6f3aa960e3a9c33c6c492f86306c3d to your computer and use it in GitHub Desktop.
Download Vault credentials recursively as JSON
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| """ | |
| Get Vault credentials recursively as json. | |
| Requirements: requests lib. Run pip to install it: | |
| $ pip install requests | |
| To run this command: | |
| $ python get_credentials.py <initial url> <token> | |
| """ | |
| import json | |
| import sys | |
| import requests | |
| def is_leaf(value): | |
| if value[-1] != '/': | |
| return value | |
| def is_branch(value): | |
| return value if value[-1] == '/' else None | |
| def find_credentials(url, token): | |
| """Build recursively and return a list of credentials endpoints""" | |
| # print(':: Visiting url {}'.format(url)) | |
| response = requests.request('LIST', url=url, headers={'X-Vault-Token': token}) | |
| if response.status_code == 200: | |
| data = response.json().get('data') | |
| keys = data and data.get('keys') | |
| if keys: | |
| branches = [key for key in map(is_branch, keys)] | |
| leaves = [key for key in map(is_leaf, keys)] | |
| # Clear lists by removing null values | |
| branches = [url + key for key in filter(None, branches)] | |
| leaves = [url + key for key in filter(None, leaves)] | |
| deep_leaves_urls = [] | |
| for branch_url in branches: | |
| deep_leaves_urls += find_credentials(branch_url, token) | |
| return leaves + deep_leaves_urls | |
| else: | |
| print(' :: No branch or credential found.') | |
| else: | |
| print(' :: Error opening url. HTTP status code={}'.format(response.status_code)) | |
| return [] | |
| def get_secret(url, token): | |
| """Access endpoint and get credential""" | |
| # print(':: Getting secret on {}'.format(url)) | |
| response = requests.get(url, headers={'X-Vault-Token': token}) | |
| if response.status_code == 200: | |
| data = response.json().get('data') | |
| if data: | |
| return data | |
| else: | |
| print(" :: No credential data found.") | |
| else: | |
| print(' :: Error opening url. HTTP status code={}'.format(response.status_code)) | |
| if __name__ == "__main__": | |
| if len(sys.argv) >= 3: | |
| url = sys.argv[1] | |
| token = sys.argv[2] | |
| paths = find_credentials(url, token) | |
| secrets = {path: get_secret(path, token) for path in paths} | |
| print(json.dumps(secrets)) | |
| else: | |
| print("\nUse {name} <start_url> <token>\n".format(name=sys.argv[0])) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
When running, don't forget to add the path to the kv1 Secret Engine you which to retrieve:
You can also use jq (https://stedolan.github.io/jq/download/) to format the output :