Vaku is a CLI and API for running path- and folder-based operations on the Vault Key/Value secrets engine.

Overview

Vaku

Vaku

PkgGoDev goreportcard

Vaku is a CLI and API for running path- and folder-based operations on the Vault Key/Value secrets engine. Vaku extends the existing Vault CLI and API by allowing you to run the same path-based list/read/write/delete functions on folders as well. Vaku also lets you search, copy, and move both secrets and folders.

Installation

Homebrew

brew install lingrino/tap/vaku

Scoop

scoop bucket add vaku https://github.com/lingrino/scoop-vaku.git
scoop install vaku

Docker

docker run ghcr.io/lingrino/vaku --help

Binary

Download the latest binary or deb/rpm for your os/arch from the releases page.

Usage

Vaku CLI documentation can be found on the command line using either vaku help [cmd] or vaku [cmd] --help. The same documentation is also available in markdown form in the docs/cli folder.

API

Documentation for the Vaku API is on pkg.go.dev.

Contributing

Suggestions and contributions of all kinds are welcome! If there is functionality you would like to see in Vaku please open an Issue or Pull Request and I will be sure to address it.

Tests

Vaku is well tested and uses only the standard go testing tools.

$ go test -cover -race ./...
ok  github.com/lingrino/vaku/v2      0.095s coverage: 100.0% of statements
ok  github.com/lingrino/vaku/v2/api 12.065s coverage: 100.0% of statements
ok  github.com/lingrino/vaku/v2/cmd  0.168s coverage: 100.0% of statements
Issues
  • Are you interested in integrating some logging capabilities?

    Are you interested in integrating some logging capabilities?

    Thanks for your work on vaku, I have been using it for a while and it has been a great help.

    One problem I am having is that it is currently not possible to see what is the current progress and what is vaku actually doing; therefore, I was thinking of integrating some logging capabilities to it with a verbose mode. I have two questions about this:

    • would you be willing to merge if I came up with such a PR or is this something you are not interested in adding to vaku?
    • if yes, would you have any preference for a logging library?
    opened by karakanb 8
  • Add support in copy command to handle kv-v2 destroyed secrets

    Add support in copy command to handle kv-v2 destroyed secrets

    Created underlying support for destroying the latest version of a secret for testing purposes, but not exposed to users.

    opened by shwuandwing 5
  • Fix the full path where there are nested directories with the same name

    Fix the full path where there are nested directories with the same name

    I finally managed to reproduce the issue, and it seemed to be an easy fix for the search part at least.

    • Run Vault locally: docker run -p "8200:8200" -e VAULT_DEV_ROOT_TOKEN_ID=my-login-token vault:1.7.1
    • Once you run the command above, you'll have Vault running on http://localhost:8200.
    • Go to the UI, login with the token my-login-token.
    • Once you are in, create a KV mount named test.
    • In this mount, create a secret with the path test/some-secret, put key as the key and value as the value.
    • The final path should look like this:

    image

    At this point, run the master branch against your local Vault instance with a single worker:

    ❯ go build && ./vaku folder search test value --address="http://localhost:8200" --token="my-login-token" --workers=1
    

    This will never end because Vaku is falling into an infinite loop.

    Now checkout to this PR, and run it with the same command, it'll work:

    ❯ go build && ./vaku folder search test value --address="http://localhost:8200" --token="myroot" --workers=1
    test/some-secret
    

    I haven't used the other commands in Vaku, I mainly needed the search functionality and this PR seems to fix it.

    opened by karakanb 4
  • Copy commands can copy when source and target differ in address / namespace / or token

    Copy commands can copy when source and target differ in address / namespace / or token

    This enhancements enables copying secrets between Vault clusters.

    opened by shwuandwing 4
  • Add environment variable for bearer auth token

    Add environment variable for bearer auth token

    We are using vaku for folder list and copy. vaku is a very useful tool for the vault ecosystem. However, our internal network has edge gateway which requires valid bearer token.

    Everytime, we need to ssh into jump box to run the script with vaku.

    It would be great that if vaku supports adding auth bearer token environment into Vault request header.

    opened by hixichen 4
  • output with text is not sorted.

    output with text is not sorted.

    json output is sorted and always same. But output with text is not sorted.

    vaku folder read my-path/ -T -o text
    
    opened by hixichen 3
  • Update to go 1.17

    Update to go 1.17

    null

    opened by lingrino 3
  • Vaku (homebrew version) will not execute on Fedora Linux or WSL

    Vaku (homebrew version) will not execute on Fedora Linux or WSL

    Issue After successfully installing linuxbrew, ensuring PATH is set correctly, installing vaku and setting /home/linuxbrew/.linuxbrew/Cellar/vaku/1.1.1/bin/vaku to be executable attempting to run vaku fails with the following error:

    $ vaku -h bash: /home/linuxbrew/.linuxbrew/bin/vaku: cannot execute binary file: Exec format error

    Steps Taken $ sh -c "$(curl -fsSL https://raw.githubusercontent.com/Linuxbrew/install/master/install.sh)" $ test -d ~/.linuxbrew && eval $(~/.linuxbrew/bin/brew shellenv) $ test -d /home/linuxbrew/.linuxbrew && eval $(/home/linuxbrew/.linuxbrew/bin/brew shellenv) $ test -r ~/.bash_profile && echo "eval \$($(brew --prefix)/bin/brew shellenv)" >>~/.bash_profile $ brew install lingrino/tap/vaku $ vaku -h bash: /home/linuxbrew/.linuxbrew/bin/vaku: Permission denied $ chmod 555 /home/linuxbrew/.linuxbrew/Cellar/vaku/1.1.1/bin/vaku $ vaku -h bash: /home/linuxbrew/.linuxbrew/bin/vaku: cannot execute binary file: Exec format error

    Additional Info The vault binary included with the homebrew version of vaku executes without issue. $ vault -h Usage: vault <command> [args] <snip>

    file /home/linuxbrew/.linuxbrew/Cellar/vault/1.2.2/bin/vault /home/linuxbrew/.linuxbrew/Cellar/vault/1.2.2/bin/vault: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, Go BuildID=SO1z1SDfi0jHi9Es0U-L/loeYoDLiiRizqE3Ftg_h/9pGJhh4sewGN5N0Hnyjp/KJ4ke0EOnHGwhY6QVTx8, not stripped

    $ file /home/linuxbrew/.linuxbrew/Cellar/vaku/1.1.1/bin/vaku /home/linuxbrew/.linuxbrew/Cellar/vaku/1.1.1/bin/vaku: Mach-O 64-bit x86_64 executable

    ** System Info** This issue has presented on Fedora 30 and in the Pengwin (Debian) WSL distribution.

    $ uname -a Linux hostname 4.4.0-18362-Microsoft #1-Microsoft Mon Mar 18 12:02:00 PST 2019 x86_64 GNU/Linux

    $ uname -a Linux hostname.domain.local 5.2.8-200.fc30.x86_64 #1 SMP Sat Aug 10 13:21:39 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux

    opened by synaptis 3
  • Bump codecov/codecov-action from 1.5.0 to 1.5.1

    Bump codecov/codecov-action from 1.5.0 to 1.5.1

    Bumps codecov/codecov-action from 1.5.0 to 1.5.1.

    Release notes

    Sourced from codecov/codecov-action's releases.

    v1.5.1

    1.5.1

    Fixes

    • #320 doc: add github actions badge
    • #336 Update bash uploader to 1.0.3
    • #339 fix: Add action version

    Dependencies

    • #302 Bump @​typescript-eslint/eslint-plugin from 4.22.0 to 4.22.1
    • #303 Bump @​typescript-eslint/parser from 4.22.0 to 4.22.1
    • #304 Bump ts-jest from 26.5.5 to 26.5.6
    • #309 Bump lodash from 4.17.19 to 4.17.21
    • #310 Bump hosted-git-info from 2.8.8 to 2.8.9
    • #311 Bump @​actions/github from 4.0.0 to 5.0.0
    • #314 Bump eslint from 7.25.0 to 7.27.0
    • #315 Bump @​actions/core from 1.2.7 to 1.3.0
    • #316 Bump @​typescript-eslint/parser from 4.22.1 to 4.25.0
    • #317 Bump @​typescript-eslint/eslint-plugin from 4.22.1 to 4.25.0
    • #319 Bump jest-junit from 12.0.0 to 12.1.0
    • #321 Bump typescript from 4.2.4 to 4.3.2
    • #323 Bump ws from 7.3.1 to 7.4.6
    • #331 Bump eslint from 7.27.0 to 7.28.0
    • #332 Bump @​actions/exec from 1.0.4 to 1.1.0
    • #333 Bump @​typescript-eslint/parser from 4.25.0 to 4.26.1
    • #334 Bump @​typescript-eslint/eslint-plugin from 4.25.0 to 4.26.1
    • #335 Bump @​actions/core from 1.3.0 to 1.4.0
    • #337 Bump glob-parent from 5.1.1 to 5.1.2
    Changelog

    Sourced from codecov/codecov-action's changelog.

    1.5.1

    Fixes

    • #320 doc: add github actions badge
    • #336 Update bash uploader to 1.0.3
    • #339 fix: Add action version

    Dependencies

    • #302 Bump @​typescript-eslint/eslint-plugin from 4.22.0 to 4.22.1
    • #303 Bump @​typescript-eslint/parser from 4.22.0 to 4.22.1
    • #304 Bump ts-jest from 26.5.5 to 26.5.6
    • #309 Bump lodash from 4.17.19 to 4.17.21
    • #310 Bump hosted-git-info from 2.8.8 to 2.8.9
    • #311 Bump @​actions/github from 4.0.0 to 5.0.0
    • #314 Bump eslint from 7.25.0 to 7.27.0
    • #315 Bump @​actions/core from 1.2.7 to 1.3.0
    • #316 Bump @​typescript-eslint/parser from 4.22.1 to 4.25.0
    • #317 Bump @​typescript-eslint/eslint-plugin from 4.22.1 to 4.25.0
    • #319 Bump jest-junit from 12.0.0 to 12.1.0
    • #321 Bump typescript from 4.2.4 to 4.3.2
    • #323 Bump ws from 7.3.1 to 7.4.6
    • #331 Bump eslint from 7.27.0 to 7.28.0
    • #332 Bump @​actions/exec from 1.0.4 to 1.1.0
    • #333 Bump @​typescript-eslint/parser from 4.25.0 to 4.26.1
    • #334 Bump @​typescript-eslint/eslint-plugin from 4.25.0 to 4.26.1
    • #335 Bump @​actions/core from 1.3.0 to 1.4.0
    • #337 Bump glob-parent from 5.1.1 to 5.1.2
    Commits
    • fbeda37 Merge pull request #338 from codecov/1.5.1
    • ebcf63d Update changelog
    • a3e633d Merge pull request #339 from codecov/action-version
    • b8f6852 lint
    • c9d0b81 fix: Add action version
    • 8f0855a Bump to 1.5.1
    • c53d6ba Merge pull request #337 from codecov/dependabot/npm_and_yarn/glob-parent-5.1.2
    • 67f597a Merge pull request #336 from slarse/update-bash-uploader-to-1.0.3
    • 23d3003 Merge pull request #321 from codecov/dependabot/npm_and_yarn/typescript-4.3.2
    • 328e5ac Merge pull request #332 from codecov/dependabot/npm_and_yarn/actions/exec-1.1.0
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies actions 
    opened by dependabot[bot] 3
  • Bump github.com/hashicorp/vault from 0.11.5 to 1.0.0

    Bump github.com/hashicorp/vault from 0.11.5 to 1.0.0

    ⚠️ Dependabot is rebasing this PR ⚠️

    If you make any changes to it yourself then they will take precedence over the rebase.


    Bumps github.com/hashicorp/vault from 0.11.5 to 1.0.0.

    Changelog

    Sourced from github.com/hashicorp/vault's changelog.

    1.0.0 (December 3rd, 2018)

    SECURITY:

    • When debugging a customer incident we discovered that in the case of malformed data from an autoseal mechanism, Vault's master key could be logged in Vault's server log. For this to happen, the data would need to be modified by the autoseal mechanism after being submitted to it by Vault but prior to encryption, or after decryption, prior to it being returned to Vault. To put it another way, it requires the data that Vault submits for encryption to not match the data returned after decryption. It is not sufficient for the autoseal mechanism to return an error, and it cannot be triggered by an outside attacker changing the on-disk ciphertext as all autoseal mechanisms use authenticated encryption. We do not believe that this is generally a cause for concern; since it involves the autoseal mechanism returning bad data to Vault but with no error, in a working Vault configuration this code path should never be hit, and if hitting this issue Vault will not be unsealing properly anyways so it will be obvious what is happening and an immediate rekey of the master key can be performed after service is restored. We have filed for a CVE (CVE-2018-19786) and a CVSS V3 score of 5.2 has been assigned.

    CHANGES:

    • Tokens are now prefixed by a designation to indicate what type of token they are. Service tokens start with s. and batch tokens start with b.. Existing tokens will still work (they are all of service type and will be considered as such). Prefixing allows us to be more efficient when consuming a token, which keeps the critical path of requests faster.
    • Paths within auth/token that allow specifying a token or accessor in the URL have been removed. These have been deprecated since March 2016 and undocumented, but were retained for backwards compatibility. They shouldn't be used due to the possibility of those paths being logged, so at this point they are simply being removed.
    • Vault will no longer accept updates when the storage key has invalid UTF-8 character encoding [GH-5819]
    • Mount/Auth tuning the options map on backends will now upsert any provided values, and keep any of the existing values in place if not provided. The options map itself cannot be unset once it's set, but the keypairs within the map can be unset if an empty value is provided, with the exception of the version keypair which is handled differently for KVv2 purposes.
    • Agent no longer automatically reauthenticates when new credentials are detected. It's not strictly necessary and in some cases was causing reauthentication much more often than intended.
    • HSM Regenerate Key Support Removed: Vault no longer supports destroying and regenerating encryption keys on an HSM; it only supports creating them. Although this has never been a source of a customer incident, it is simply a code path that is too trivial to activate, especially by mistyping regenerate_key instead of generate_key.
    • Barrier Config Upgrade (Enterprise): When upgrading from Vault 0.8.x, the
    ... (truncated)
    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Note: This repo was added to Dependabot recently, so you'll receive a maximum of 5 PRs for your first few update runs. Once an update run creates fewer than 5 PRs we'll remove that limit.

    You can always request more updates by clicking Bump now in your Dependabot dashboard.

    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot ignore this [patch|minor|major] version will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
    • @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

    Additionally, you can set the following in your Dependabot dashboard:

    • Update frequency (including time of day and day of week)
    • Automerge options (never/patch/minor, and dev/runtime dependencies)
    • Pull request limits (per update run and/or open at any time)
    • Out-of-range updates (receive only lockfile updates, if desired)
    • Security updates (receive only security updates, if desired)

    Finally, you can contact us by mentioning @dependabot.

    dependencies 
    opened by dependabot-preview[bot] 2
Releases(v2.4.1)
Owner
Sean Lingren
SRE @ Loom
Sean Lingren
A simple CLI use to cleanup old folder

cleanup folder A simple CLI use to cleanup old folder Building $ go build $ ./cleanup Cleanup is a CLI application to remove old folder by max number

Nguyễn Đắc Toàn 0 Oct 30, 2021
This is a Go Cli app that receives an string path to a log file, and based on it generates and prints in console an encoded polyline with the locations found in the log file.

GEOENCODE GO CLI APP DESCRIPTION This is a Go Cli app that receives an string path to a log file, and based on it generates and prints in console an e

Jose Luis Ojeda 1 Oct 1, 2021
Simple CLI interface to in-memory key/value storage a la redis.

Simple memory key value Simple CLI interface to in-memory key/value storage a la redis. Running Can be run through go directly or through docker using

Paul 0 Jan 7, 2022
Simple command line tool helper to integrate with hashicorp vault & github api

Overview CI/CD Toolkit is small command line tool helper to integrate with vault secret kv management & github api We can use simple command to genera

M Azwar Nurrosat 1 Dec 12, 2021
CLI tool for CIDR range operations (check, generate)

cidrchk A CLI tool to assist you with CIDR ranges and IPs. Install it You can download the latest binary for Linux (Intel and Arm), macOS, and Windows

Michael Hausenblas 124 Nov 18, 2021
cross-platform, cli app to perform various operations on string

sttr is command line software that allows you to quickly run various transformation operations on the string.

Abhimanyu Sharma 331 Jan 16, 2022
Simple CLI util for running OCR on images through PERO OCR API

pero_ocr Simple CLI util for running OCR on images through PERO OCR API Usage: Usage of batch_pero_ocr: -c string cancel request with given

Moravian Library in Brno 2 Dec 1, 2021
A golang tag key value parser

tag_parser A golang tag key value parser Installation go get github.com/gvassili/tag_parser Example package main import ( "fmt" "github.com/gvass

Gwenael 0 Nov 24, 2021
Green: a distribute key value system for optimize block chain data

Introduce Green is a distribute key value system for optimize block chain data A

null 0 Jan 6, 2022
Grab is a tool that downloads source code repositories into a convenient directory layout created from the repo's URL's domain and path

Grab is a tool that downloads source code repositories into a convenient directory layout created from the repo's URL's domain and path. It supports Git, Mercurial (hg), Subversion, and Bazaar repositories.

Jeff Hodges 17 Dec 11, 2021
✨ Create a new production-ready project with backend, frontend and deploy automation by running one CLI command!

✨ Create a new production-ready project with backend, frontend and deploy automation by running one CLI command!

Create Go App 1.2k Jan 14, 2022
Runc: a CLI tool for spawning and running containers on Linux according to the OCI specification

runc Introduction runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. This repo contains a lightly mod

Brian 0 Dec 16, 2021
A CLI tool for running Go commands with colorized output

Goli Goli is a CLI Tool for running Go commands with colorized output. Note: Goli is still a WIP. It has very basic commands and limitations. Feel fre

Arthur Diniz 15 Jan 7, 2022
Clirunner - Package clirunner runs a legacy shell-style CLI as if a human were running it.

clirunner Package clirunner runs a legacy shell-style command-line interpreter (CLI) as if a human were running it. A shell-style CLI offers a prompt

Jeff Regan 0 Jan 4, 2022
Go-api-cli - Small CLI to fetch data from an API sync and async

Async API Cli CLI to fetch data on "todos" from a given API in a number of ways.

Pete Robinson 0 Jan 13, 2022
The blackbean is a command tool for elasticsearch operations by using cobra.

The blackbean is a command tool for elasticsearch operations by using cobra. Besides, blackbean is the name of my lovely French bulldog.

null 21 Nov 25, 2021
sttr is command line software that allows you to quickly run various transformation operations on the string.

sttr is command line software that allows you to quickly run various transformation operations on the string.

Abhimanyu Sharma 60 Sep 21, 2021
A TUI multitool for day-to-day operations for software applications.

Bench (WIP) A TUI multitool for day-to-day operations for software applications. Lets you do common operations needed during IT work that are common e

null 1 Dec 5, 2021
CLI for Shamir's Secret Sharing and AES key generation, encryption, and decryption.

Shush ?? This simple program will help you run Shamir's Secret Sharing algorithm on any file using the split and merge commands.

null 23 Nov 22, 2021