Vaku is a CLI and API for running path- and folder-based operations on the Vault Key/Value secrets engine.

Overview

Vaku

Vaku

PkgGoDev goreportcard

Vaku is a CLI and API for running path- and folder-based operations on the Vault Key/Value secrets engine. Vaku extends the existing Vault CLI and API by allowing you to run the same path-based list/read/write/delete functions on folders as well. Vaku also lets you search, copy, and move both secrets and folders.

Installation

Homebrew

brew install lingrino/tap/vaku

Scoop

scoop bucket add vaku https://github.com/lingrino/scoop-vaku.git
scoop install vaku

Docker

docker run ghcr.io/lingrino/vaku --help

Binary

Download the latest binary or deb/rpm for your os/arch from the releases page.

Usage

Vaku CLI documentation can be found on the command line using either vaku help [cmd] or vaku [cmd] --help. The same documentation is also available in markdown form in the docs/cli folder.

API

Documentation for the Vaku API is on pkg.go.dev.

Contributing

Suggestions and contributions of all kinds are welcome! If there is functionality you would like to see in Vaku please open an Issue or Pull Request and I will be sure to address it.

Tests

Vaku is well tested and uses only the standard go testing tools.

$ go test -cover -race ./...
ok  github.com/lingrino/vaku/v2      0.095s coverage: 100.0% of statements
ok  github.com/lingrino/vaku/v2/api 12.065s coverage: 100.0% of statements
ok  github.com/lingrino/vaku/v2/cmd  0.168s coverage: 100.0% of statements
Comments
  • Are you interested in integrating some logging capabilities?

    Are you interested in integrating some logging capabilities?

    Thanks for your work on vaku, I have been using it for a while and it has been a great help.

    One problem I am having is that it is currently not possible to see what is the current progress and what is vaku actually doing; therefore, I was thinking of integrating some logging capabilities to it with a verbose mode. I have two questions about this:

    • would you be willing to merge if I came up with such a PR or is this something you are not interested in adding to vaku?
    • if yes, would you have any preference for a logging library?
    opened by karakanb 8
  • Bump github.com/hashicorp/vault-plugin-secrets-kv from 0.13.0 to 0.13.3

    Bump github.com/hashicorp/vault-plugin-secrets-kv from 0.13.0 to 0.13.3

    Bumps github.com/hashicorp/vault-plugin-secrets-kv from 0.13.0 to 0.13.3.

    Commits
    • 8e5c5ff Release commit for v0.13.3
    • f3819bc VAULT-8631 - Change synchronous logic to insert storage entry after mounting ...
    • 86e80b5 VAULT-8631 Make upgrade synchronous when no keys to upgrade (#66) (#67)
    • 929c041 Release commit for v0.13.1
    • 562a5be Updated following the plugin release process (#65)
    • 05d1235 Prevent the pattern matching for KV V2 operations if a trailing slash… (#64)
    • 5c55bbe Update jira action (#54)
    • See full diff in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies go 
    opened by dependabot[bot] 5
  • Fix the full path where there are nested directories with the same name

    Fix the full path where there are nested directories with the same name

    I finally managed to reproduce the issue, and it seemed to be an easy fix for the search part at least.

    • Run Vault locally: docker run -p "8200:8200" -e VAULT_DEV_ROOT_TOKEN_ID=my-login-token vault:1.7.1
    • Once you run the command above, you'll have Vault running on http://localhost:8200.
    • Go to the UI, login with the token my-login-token.
    • Once you are in, create a KV mount named test.
    • In this mount, create a secret with the path test/some-secret, put key as the key and value as the value.
    • The final path should look like this:

    image

    At this point, run the master branch against your local Vault instance with a single worker:

    ❯ go build && ./vaku folder search test value --address="http://localhost:8200" --token="my-login-token" --workers=1
    

    This will never end because Vaku is falling into an infinite loop.

    Now checkout to this PR, and run it with the same command, it'll work:

    ❯ go build && ./vaku folder search test value --address="http://localhost:8200" --token="myroot" --workers=1
    test/some-secret
    

    I haven't used the other commands in Vaku, I mainly needed the search functionality and this PR seems to fix it.

    opened by karakanb 4
  • Add environment variable for bearer auth token

    Add environment variable for bearer auth token

    We are using vaku for folder list and copy. vaku is a very useful tool for the vault ecosystem. However, our internal network has edge gateway which requires valid bearer token.

    Everytime, we need to ssh into jump box to run the script with vaku.

    It would be great that if vaku supports adding auth bearer token environment into Vault request header.

    opened by hixichen 4
  • Bump codecov/codecov-action from 1.5.0 to 1.5.1

    Bump codecov/codecov-action from 1.5.0 to 1.5.1

    Bumps codecov/codecov-action from 1.5.0 to 1.5.1.

    Release notes

    Sourced from codecov/codecov-action's releases.

    v1.5.1

    1.5.1

    Fixes

    • #320 doc: add github actions badge
    • #336 Update bash uploader to 1.0.3
    • #339 fix: Add action version

    Dependencies

    • #302 Bump @​typescript-eslint/eslint-plugin from 4.22.0 to 4.22.1
    • #303 Bump @​typescript-eslint/parser from 4.22.0 to 4.22.1
    • #304 Bump ts-jest from 26.5.5 to 26.5.6
    • #309 Bump lodash from 4.17.19 to 4.17.21
    • #310 Bump hosted-git-info from 2.8.8 to 2.8.9
    • #311 Bump @​actions/github from 4.0.0 to 5.0.0
    • #314 Bump eslint from 7.25.0 to 7.27.0
    • #315 Bump @​actions/core from 1.2.7 to 1.3.0
    • #316 Bump @​typescript-eslint/parser from 4.22.1 to 4.25.0
    • #317 Bump @​typescript-eslint/eslint-plugin from 4.22.1 to 4.25.0
    • #319 Bump jest-junit from 12.0.0 to 12.1.0
    • #321 Bump typescript from 4.2.4 to 4.3.2
    • #323 Bump ws from 7.3.1 to 7.4.6
    • #331 Bump eslint from 7.27.0 to 7.28.0
    • #332 Bump @​actions/exec from 1.0.4 to 1.1.0
    • #333 Bump @​typescript-eslint/parser from 4.25.0 to 4.26.1
    • #334 Bump @​typescript-eslint/eslint-plugin from 4.25.0 to 4.26.1
    • #335 Bump @​actions/core from 1.3.0 to 1.4.0
    • #337 Bump glob-parent from 5.1.1 to 5.1.2
    Changelog

    Sourced from codecov/codecov-action's changelog.

    1.5.1

    Fixes

    • #320 doc: add github actions badge
    • #336 Update bash uploader to 1.0.3
    • #339 fix: Add action version

    Dependencies

    • #302 Bump @​typescript-eslint/eslint-plugin from 4.22.0 to 4.22.1
    • #303 Bump @​typescript-eslint/parser from 4.22.0 to 4.22.1
    • #304 Bump ts-jest from 26.5.5 to 26.5.6
    • #309 Bump lodash from 4.17.19 to 4.17.21
    • #310 Bump hosted-git-info from 2.8.8 to 2.8.9
    • #311 Bump @​actions/github from 4.0.0 to 5.0.0
    • #314 Bump eslint from 7.25.0 to 7.27.0
    • #315 Bump @​actions/core from 1.2.7 to 1.3.0
    • #316 Bump @​typescript-eslint/parser from 4.22.1 to 4.25.0
    • #317 Bump @​typescript-eslint/eslint-plugin from 4.22.1 to 4.25.0
    • #319 Bump jest-junit from 12.0.0 to 12.1.0
    • #321 Bump typescript from 4.2.4 to 4.3.2
    • #323 Bump ws from 7.3.1 to 7.4.6
    • #331 Bump eslint from 7.27.0 to 7.28.0
    • #332 Bump @​actions/exec from 1.0.4 to 1.1.0
    • #333 Bump @​typescript-eslint/parser from 4.25.0 to 4.26.1
    • #334 Bump @​typescript-eslint/eslint-plugin from 4.25.0 to 4.26.1
    • #335 Bump @​actions/core from 1.3.0 to 1.4.0
    • #337 Bump glob-parent from 5.1.1 to 5.1.2
    Commits
    • fbeda37 Merge pull request #338 from codecov/1.5.1
    • ebcf63d Update changelog
    • a3e633d Merge pull request #339 from codecov/action-version
    • b8f6852 lint
    • c9d0b81 fix: Add action version
    • 8f0855a Bump to 1.5.1
    • c53d6ba Merge pull request #337 from codecov/dependabot/npm_and_yarn/glob-parent-5.1.2
    • 67f597a Merge pull request #336 from slarse/update-bash-uploader-to-1.0.3
    • 23d3003 Merge pull request #321 from codecov/dependabot/npm_and_yarn/typescript-4.3.2
    • 328e5ac Merge pull request #332 from codecov/dependabot/npm_and_yarn/actions/exec-1.1.0
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies actions 
    opened by dependabot[bot] 3
  • Vaku (homebrew version) will not execute on Fedora Linux or WSL

    Vaku (homebrew version) will not execute on Fedora Linux or WSL

    Issue After successfully installing linuxbrew, ensuring PATH is set correctly, installing vaku and setting /home/linuxbrew/.linuxbrew/Cellar/vaku/1.1.1/bin/vaku to be executable attempting to run vaku fails with the following error:

    $ vaku -h bash: /home/linuxbrew/.linuxbrew/bin/vaku: cannot execute binary file: Exec format error

    Steps Taken $ sh -c "$(curl -fsSL https://raw.githubusercontent.com/Linuxbrew/install/master/install.sh)" $ test -d ~/.linuxbrew && eval $(~/.linuxbrew/bin/brew shellenv) $ test -d /home/linuxbrew/.linuxbrew && eval $(/home/linuxbrew/.linuxbrew/bin/brew shellenv) $ test -r ~/.bash_profile && echo "eval \$($(brew --prefix)/bin/brew shellenv)" >>~/.bash_profile $ brew install lingrino/tap/vaku $ vaku -h bash: /home/linuxbrew/.linuxbrew/bin/vaku: Permission denied $ chmod 555 /home/linuxbrew/.linuxbrew/Cellar/vaku/1.1.1/bin/vaku $ vaku -h bash: /home/linuxbrew/.linuxbrew/bin/vaku: cannot execute binary file: Exec format error

    Additional Info The vault binary included with the homebrew version of vaku executes without issue. $ vault -h Usage: vault <command> [args] <snip>

    file /home/linuxbrew/.linuxbrew/Cellar/vault/1.2.2/bin/vault /home/linuxbrew/.linuxbrew/Cellar/vault/1.2.2/bin/vault: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, Go BuildID=SO1z1SDfi0jHi9Es0U-L/loeYoDLiiRizqE3Ftg_h/9pGJhh4sewGN5N0Hnyjp/KJ4ke0EOnHGwhY6QVTx8, not stripped

    $ file /home/linuxbrew/.linuxbrew/Cellar/vaku/1.1.1/bin/vaku /home/linuxbrew/.linuxbrew/Cellar/vaku/1.1.1/bin/vaku: Mach-O 64-bit x86_64 executable

    ** System Info** This issue has presented on Fedora 30 and in the Pengwin (Debian) WSL distribution.

    $ uname -a Linux hostname 4.4.0-18362-Microsoft #1-Microsoft Mon Mar 18 12:02:00 PST 2019 x86_64 GNU/Linux

    $ uname -a Linux hostname.domain.local 5.2.8-200.fc30.x86_64 #1 SMP Sat Aug 10 13:21:39 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux

    opened by synaptis 3
  • Bump github.com/hashicorp/vault-plugin-secrets-kv from 0.13.0 to 0.13.2

    Bump github.com/hashicorp/vault-plugin-secrets-kv from 0.13.0 to 0.13.2

    Bumps github.com/hashicorp/vault-plugin-secrets-kv from 0.13.0 to 0.13.2.

    Commits
    • 86e80b5 VAULT-8631 Make upgrade synchronous when no keys to upgrade (#66) (#67)
    • 929c041 Release commit for v0.13.1
    • 562a5be Updated following the plugin release process (#65)
    • 05d1235 Prevent the pattern matching for KV V2 operations if a trailing slash… (#64)
    • 5c55bbe Update jira action (#54)
    • See full diff in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies go 
    opened by dependabot[bot] 2
  • Bump github.com/hashicorp/vault from 1.11.3 to 1.11.4

    Bump github.com/hashicorp/vault from 1.11.3 to 1.11.4

    Bumps github.com/hashicorp/vault from 1.11.3 to 1.11.4.

    Changelog

    Sourced from github.com/hashicorp/vault's changelog.

    1.12.0

    Unreleased

    CHANGES:

    • core/entities: Fixed stranding of aliases upon entity merge, and require explicit selection of which aliases should be kept when some must be deleted [GH-16539]
    • core: Bump Go version to 1.19.1.
    • core: Validate input parameters for vault operator init command. Vault 1.12 CLI version is needed to run operator init now. [GH-16379]
    • identity: a request to /identity/group that includes member_group_ids that contains a cycle will now be responded to with a 400 rather than 500 [GH-15912]
    • licensing (enterprise): Terminated licenses will no longer result in shutdown. Instead, upgrades will not be allowed if the license termination time is before the build date of the binary.
    • plugins: GET /sys/plugins/catalog/:type/:name endpoint now returns an additional version field in the response data. [GH-16688]
    • plugins: GET /sys/plugins/catalog endpoint now returns an additional detailed field in the response data with a list of additional plugin metadata. [GH-16688]

    FEATURES:

    • Secrets/auth plugin multiplexing: manage multiple plugin configurations with a single plugin process [GH-14946]
    • secrets/database/hana: Add ability to customize dynamic usernames [GH-16631]
    • secrets/pki: Add an OCSP responder that implements a subset of RFC6960, answering single serial number OCSP requests for a specific cluster's revoked certificates in a mount. [GH-16723]
    • ui: UI support for Okta Number Challenge. [GH-15998]

    IMPROVEMENTS:

    • activity (enterprise): Added new clients unit tests to test accuracy of estimates
    • agent: Added disable_idle_connections configuration to disable leaving idle connections open in auto-auth, caching and templating. [GH-15986]
    • agent: Added disable_keep_alives configuration to disable keep alives in auto-auth, caching and templating. [GH-16479]
    • agent: JWT auto auth now supports a remove_jwt_after_reading config option which defaults to true. [GH-11969]
    • agent: Send notifications to systemd on start and stop. [GH-9802]
    • api/mfa: Add namespace path to the MFA read/list endpoint [GH-16911]
    • api: Add a sentinel error for missing KV secrets [GH-16699]
    • auth/aws: PKCS7 signatures will now use SHA256 by default in prep for Go 1.18 [GH-16455]
    • auth/cert: Add metadata to identity-alias [GH-14751]
    • auth/gcp: Add support for GCE regional instance groups [GH-16435]
    • auth/jwt: Adds support for Microsoft US Gov L4 to the Azure provider for groups fetching. [GH-16525]
    • auth/jwt: Improves detection of Windows Subsystem for Linux (WSL) for CLI-based logins. [GH-16525]
    • auth/kerberos: add add_group_aliases config to include LDAP groups in Vault group aliases [GH-16890]
    • auth/kerberos: add remove_instance_name parameter to the login CLI and the Kerberos config in Vault. This removes any instance names found in the keytab service principal name. [GH-16594]
    • auth/oidc: Adds support for group membership parsing when using SecureAuth as an OIDC provider. [GH-16274]
    • cli: CLI commands will print a warning if flags will be ignored because they are passed after positional arguments. [GH-16441]
    • command/audit: Improve missing type error message [GH-16409]
    • command/server: add -dev-tls and -dev-tls-cert-dir subcommands to create a Vault dev server with generated certificates and private key. [GH-16421]
    • core (enterprise): Add HTTP PATCH support for namespaces with an associated namespace patch CLI command
    • core (enterprise): Add check to vault server command to ensure configured storage backend is supported.
    • core (enterprise): Add custom metadata support for namespaces
    • core/activity: generate hyperloglogs containing clientIds for each month during precomputation [GH-16146]
    • core/activity: refactor activity log api to reuse partial api functions in activity endpoint when current month is specified [GH-16162]
    • core/activity: use monthly hyperloglogs to calculate new clients approximation for current month [GH-16184]

    ... (truncated)

    Commits
    • b47a9e7 backport of commit 7f22056686b5a8e71c66e73eeaab4403809b791c (#17039)
    • e55f85c backport of commit 6c399c1c3b1c24ee830ef62d7966687a01dc5833 (#17286)
    • 24d357e backport of commit fe3daa411ae09f57c38e648f9a9eec54c073b6ca (#17274)
    • 9064683 resolved conflict (#17262)
    • cd100f9 backport of commit 3eafec8f451625069ca7c08db581df5f7f53e92f (#17207)
    • d3e20ac backport of commit 523e91601376cbde9fc83cea87576f70f2394cb5 (#17191)
    • 9428784 backport of commit 0e84613cc4b231502cadb3fc431f01175d7e7c19 (#17177)
    • 31b7a0f backport of commit 5bc40d1fa9b541d6126f2a218b39f118e2f94ebd (#17169)
    • c304d68 auth/kubernetes: upgrade to v0.13.2 in release/1.11.x (#17162)
    • 4ecf420 backport of commit 8fddccdff0ba3004001a5f96a21a0ae5b69d35ed (#17156)
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies go 
    opened by dependabot[bot] 2
  • Bump github.com/hashicorp/vault-plugin-secrets-kv from 0.13.0 to 0.13.1

    Bump github.com/hashicorp/vault-plugin-secrets-kv from 0.13.0 to 0.13.1

    Bumps github.com/hashicorp/vault-plugin-secrets-kv from 0.13.0 to 0.13.1.

    Commits
    • 929c041 Release commit for v0.13.1
    • 562a5be Updated following the plugin release process (#65)
    • 05d1235 Prevent the pattern matching for KV V2 operations if a trailing slash… (#64)
    • 5c55bbe Update jira action (#54)
    • See full diff in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies go 
    opened by dependabot[bot] 2
  • Bump github.com/hashicorp/vault/sdk from 0.5.3 to 0.6.0

    Bump github.com/hashicorp/vault/sdk from 0.5.3 to 0.6.0

    Bumps github.com/hashicorp/vault/sdk from 0.5.3 to 0.6.0.

    Changelog

    Sourced from github.com/hashicorp/vault/sdk's changelog.

    0.6.0 (June 14th, 2016)

    SECURITY:

    • Although sys/revoke-prefix was intended to revoke prefixes of secrets (via lease IDs, which incorporate path information) and auth/token/revoke-prefix was intended to revoke prefixes of tokens (using the tokens' paths and, since 0.5.2, role information), in implementation they both behaved exactly the same way since a single component in Vault is responsible for managing lifetimes of both, and the type of the tracked lifetime was not being checked. The end result was that either endpoint could revoke both secret leases and tokens. We consider this a very minor security issue as there are a number of mitigating factors: both endpoints require sudo capability in addition to write capability, preventing blanket ACL path globs from providing access; both work by using the prefix to revoke as a part of the endpoint path, allowing them to be properly ACL'd; and both are intended for emergency scenarios and users should already not generally have access to either one. In order to prevent confusion, we have simply removed auth/token/revoke-prefix in 0.6, and sys/revoke-prefix will be meant for both leases and tokens instead.

    DEPRECATIONS/CHANGES:

    • auth/token/revoke-prefix has been removed. See the security notice for details. GH-1280
    • Vault will now automatically register itself as the vault service when using the consul backend and will perform its own health checks. See the Consul backend documentation for information on how to disable auto-registration and service checks.
    • List operations that do not find any keys now return a 404 status code rather than an empty response object GH-1365
    • CA certificates issued from the pki backend no longer have associated leases, and any CA certs already issued will ignore revocation requests from the lease manager. This is to prevent CA certificates from being revoked when the token used to issue the certificate expires; it was not be obvious to users that they need to ensure that the token lifetime needed to be at least as long as a potentially very long-lived CA cert.

    FEATURES:

    • AWS EC2 Auth Backend: Provides a secure introduction mechanism for AWS EC2 instances allowing automated retrieval of Vault tokens. Unlike most Vault authentication backends, this backend does not require first deploying or provisioning security-sensitive credentials (tokens, username/password, client certificates, etc). Instead, it treats AWS as a Trusted Third Party and uses the cryptographically signed dynamic metadata information that uniquely represents each EC2 instance. Vault Enterprise customers have access to a turnkey client that speaks the backend API and makes access to a Vault token easy.

    ... (truncated)

    Commits
    • f627c01 Cut version 0.6.0
    • 5b7e680 Add updated wrapping information
    • 926e56e Merge pull request #1520 from hashicorp/wrapinfo-accessor
    • 65cdcd6 Add some commenting
    • 47dc1cc Add token accessor to wrap information if one exists
    • 4f039d0 Merge pull request #1518 from hashicorp/fix-bound-ami-id
    • e521894 Added bound_ami_id check
    • 117200c Fix mah broken tests
    • c6ded38 cubbyhole-response-wrapping -> response-wrapping
    • 1e67cd8 Merge pull request #1513 from hashicorp/field-data-get-default
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies go 
    opened by dependabot[bot] 2
  • Bump github.com/hashicorp/vault/api from 1.7.2 to 1.8.0

    Bump github.com/hashicorp/vault/api from 1.7.2 to 1.8.0

    Bumps github.com/hashicorp/vault/api from 1.7.2 to 1.8.0.

    Release notes

    Sourced from github.com/hashicorp/vault/api's releases.

    v1.8.0

    1.8.0

    July 28th, 2021

    CHANGES:

    • agent: Errors in the template engine will no longer cause agent to exit unless explicitly defined to do so. A new configuration parameter, exit_on_retry_failure, within the new top-level stanza, template_config, can be set to true in order to cause agent to exit. Note that for agent to exit if template.error_on_missing_key is set to true, exit_on_retry_failure must be also set to true. Otherwise, the template engine will log an error but then restart its internal runner. [GH-11775]
    • agent: Update to use IAM Service Account Credentials endpoint for signing JWTs when using GCP Auto-Auth method [GH-11473]
    • core (enterprise): License/EULA changes that ensure the presence of a valid HashiCorp license to start Vault. More information is available in the Vault License FAQ

    FEATURES:

    • GCP Secrets Engine Static Accounts: Adds ability to use existing service accounts for generation of service account keys and access tokens. [GH-12023]
    • Key Management Secrets Engine (Enterprise): Adds general availability for distributing and managing keys in AWS KMS. [GH-11958]
    • License Autoloading (Enterprise): Licenses may now be automatically loaded from the environment or disk.
    • MySQL Database UI: The UI now supports adding and editing MySQL connections in the database secret engine [GH-11532]
    • Vault Diagnose: A new vault operator command to detect common issues with vault server setups.

    IMPROVEMENTS:

    • agent/template: Added static_secret_render_interval to specify how often to fetch non-leased secrets [GH-11934]
    • agent: Allow Agent auto auth to read symlinked JWT files [GH-11502]
    • api: Allow a leveled logger to be provided to api.Client through SetLogger. [GH-11696]
    • auth/aws: Underlying error included in validation failure message. [GH-11638]
    • cli/api: Add lease lookup command [GH-11129]
    • core: Add prefix_filter to telemetry config [GH-12025]
    • core: Add a darwin/arm64 binary release supporting the Apple M1 CPU [GH-12071]
    • core: Add a small (<1s) exponential backoff to failed TCP listener Accept failures. [GH-11588]
    • core (enterprise): Add controlled capabilities to control group policy stanza
    • core: Add metrics for standby node forwarding. [GH-11366]
    • core: Add metrics to report if a node is a perf standby, if a node is a dr secondary or primary, and if a node is a perf secondary or primary. [GH-11472]
    • core: Send notifications to systemd on start, stop, and configuration reload. [GH-11517]
    • core: add irrevocable lease list and count apis [GH-11607]
    • core: allow arbitrary length stack traces upon receiving SIGUSR2 (was 32MB) [GH-11364]
    • db/cassandra: Added tls_server_name to specify server name for TLS validation [GH-11820]
    • go: Update to Go 1.16.5 [GH-11802]
    • raft: Improve raft batch size selection [GH-11907]
    • raft: change freelist type to map and set nofreelistsync to true [GH-11895]
    • replication: Delay evaluation of X-Vault-Index headers until merkle sync completes.
    • secrets/rabbitmq: Add ability to customize dynamic usernames [GH-11899]
    • secrets/ad: Add rotate-role endpoint to allow rotations of service accounts. [GH-11942]

    ... (truncated)

    Changelog

    Sourced from github.com/hashicorp/vault/api's changelog.

    1.8.0

    July 28th, 2021

    CHANGES:

    • agent: Errors in the template engine will no longer cause agent to exit unless explicitly defined to do so. A new configuration parameter, exit_on_retry_failure, within the new top-level stanza, template_config, can be set to true in order to cause agent to exit. Note that for agent to exit if template.error_on_missing_key is set to true, exit_on_retry_failure must be also set to true. Otherwise, the template engine will log an error but then restart its internal runner. [GH-11775]
    • agent: Update to use IAM Service Account Credentials endpoint for signing JWTs when using GCP Auto-Auth method [GH-11473]
    • core (enterprise): License/EULA changes that ensure the presence of a valid HashiCorp license to start Vault. More information is available in the Vault License FAQ

    FEATURES:

    • GCP Secrets Engine Static Accounts: Adds ability to use existing service accounts for generation of service account keys and access tokens. [GH-12023]
    • Key Management Secrets Engine (Enterprise): Adds general availability for distributing and managing keys in AWS KMS. [GH-11958]
    • License Autoloading (Enterprise): Licenses may now be automatically loaded from the environment or disk.
    • MySQL Database UI: The UI now supports adding and editing MySQL connections in the database secret engine [GH-11532]
    • Vault Diagnose: A new vault operator command to detect common issues with vault server setups.

    SECURITY:

    • storage/raft: When initializing Vault’s Integrated Storage backend, excessively broad filesystem permissions may be set for the underlying Bolt database used by Vault’s Raft implementation. This vulnerability, CVE-2021-38553, was fixed in Vault 1.8.0.
    • ui: The Vault UI erroneously cached and exposed user-viewed secrets between authenticated sessions in a single shared browser, if the browser window / tab was not refreshed or closed between logout and a subsequent login. This vulnerability, CVE-2021-38554, was fixed in Vault 1.8.0 and will be addressed in pending 1.7.4 / 1.6.6 releases.

    IMPROVEMENTS:

    • agent/template: Added static_secret_render_interval to specify how often to fetch non-leased secrets [GH-11934]
    • agent: Allow Agent auto auth to read symlinked JWT files [GH-11502]
    • api: Allow a leveled logger to be provided to api.Client through SetLogger. [GH-11696]
    • auth/aws: Underlying error included in validation failure message. [GH-11638]
    • cli/api: Add lease lookup command [GH-11129]
    • core: Add prefix_filter to telemetry config [GH-12025]
    • core: Add a darwin/arm64 binary release supporting the Apple M1 CPU [GH-12071]
    • core: Add a small (<1s) exponential backoff to failed TCP listener Accept failures. [GH-11588]
    • core (enterprise): Add controlled capabilities to control group policy stanza
    • core: Add metrics for standby node forwarding. [GH-11366]
    • core: Add metrics to report if a node is a perf standby, if a node is a dr secondary or primary, and if a node is a perf secondary or primary. [GH-11472]
    • core: Send notifications to systemd on start, stop, and configuration reload. [GH-11517]
    • core: add irrevocable lease list and count apis [GH-11607]
    • core: allow arbitrary length stack traces upon receiving SIGUSR2 (was 32MB) [GH-11364]
    • core: Improve renew/revoke performance using per-lease locks [GH-11122]
    • db/cassandra: Added tls_server_name to specify server name for TLS validation [GH-11820]
    • go: Update to Go 1.16.5 [GH-11802]

    ... (truncated)

    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies go 
    opened by dependabot[bot] 2
  • Add possibility to plug in custom mounts provider

    Add possibility to plug in custom mounts provider

    Hi!

    This relates to #157 which I've revisited now. Ultimately selecting a global version for the KV engine was not flexible enough as it would not allow for secret engines to be mounted in arbitrary locations in the tree.

    This PR makes it possible to supply your own mount list through a new interface. It solves the use case I have, which is purely to use vaku as a library. I have not done any changes to the CLI (I'm not sure there are any reasonable changes to be done).

    Any feedback is appreciated!

    opened by tobgu 0
  • Cant use vaku without read capability on sys/mounts

    Cant use vaku without read capability on sys/mounts

    I've run up against an issue where "normal" users cannot use most of the functionality in vaku since it relies on a call to https://github.com/lingrino/vaku/blob/main/api/mounts.go#L46 which requires read capability on sys/mounts.

    We don't want to assign this capability to non-admin users as it would expose information/existence about mounts that the user does not have access to.

    The only way I know of to get this information without using sys/mounts is through an internal endpoint used by the GUI which provides you with similar information, but scoped to the mounts that you have access. https://www.vaultproject.io/api-docs/system/internal-ui-mounts

    That the endpoint is internal is a problem of course wrt stability and existence. I've written an issue on Vault for this but I don't have high hopes of a quick solution to it: https://github.com/hashicorp/vault/issues/15724

    The only way around this that I can think of is to make it possible to make the "mount source" pluggable to avoid requiring access to sys/mounts. In that way we could, for example, use the above internal endpoint at our own risk to get the information. Or some other static configuration available in our use case. Perhaps you have better ideas for how to tackle this?

    opened by tobgu 2
  • Add update with Compare and Swap (CAS)

    Add update with Compare and Swap (CAS)

    First of all: Thanks for a very nice and useful library!

    Question: Did you consider adding CAS to the update operations (like this one: https://github.com/lingrino/vaku/blob/v2.5.0/api/path_update.go#L13)?

    It would help in making it race free.

    opened by tobgu 4
Releases(v2.5.1)
Owner
Sean Lingren
SRE @ Loom
Sean Lingren
This is a Go Cli app that receives an string path to a log file, and based on it generates and prints in console an encoded polyline with the locations found in the log file.

GEOENCODE GO CLI APP DESCRIPTION This is a Go Cli app that receives an string path to a log file, and based on it generates and prints in console an e

Jose Luis Ojeda 1 Oct 1, 2021
A simple CLI use to cleanup old folder

cleanup folder A simple CLI use to cleanup old folder Building $ go build $ ./cleanup Cleanup is a CLI application to remove old folder by max number

Nguyễn Đắc Toàn 1 Nov 19, 2022
Simple CLI interface to in-memory key/value storage a la redis.

Simple memory key value Simple CLI interface to in-memory key/value storage a la redis. Running Can be run through go directly or through docker using

Paul 0 Jan 7, 2022
Simple command line tool helper to integrate with hashicorp vault & github api

Overview CI/CD Toolkit is small command line tool helper to integrate with vault secret kv management & github api We can use simple command to genera

M Azwar Nurrosat 1 Apr 2, 2022
CLI tool for CIDR range operations (check, generate)

cidrchk A CLI tool to assist you with CIDR ranges and IPs. Install it You can download the latest binary for Linux (Intel and Arm), macOS, and Windows

Michael Hausenblas 130 Oct 16, 2022
cross-platform, cli app to perform various operations on string

sttr is command line software that allows you to quickly run various transformation operations on the string.

Abhimanyu Sharma 610 Nov 16, 2022
Simple CLI util for running OCR on images through PERO OCR API

pero_ocr Simple CLI util for running OCR on images through PERO OCR API Usage: Usage of batch_pero_ocr: -c string cancel request with given

Moravian Library in Brno 2 Dec 1, 2021
A golang tag key value parser

tag_parser A golang tag key value parser Installation go get github.com/gvassili/tag_parser Example package main import ( "fmt" "github.com/gvass

Gwenael 0 Nov 24, 2021
Green: a distribute key value system for optimize block chain data

Introduce Green is a distribute key value system for optimize block chain data A

null 0 Jan 6, 2022
Grab is a tool that downloads source code repositories into a convenient directory layout created from the repo's URL's domain and path

Grab is a tool that downloads source code repositories into a convenient directory layout created from the repo's URL's domain and path. It supports Git, Mercurial (hg), Subversion, and Bazaar repositories.

Jeff Hodges 19 Jun 2, 2022
Go-api-cli - Small CLI to fetch data from an API sync and async

Async API Cli CLI to fetch data on "todos" from a given API in a number of ways.

Pete Robinson 0 Jan 13, 2022
✨ Create a new production-ready project with backend, frontend and deploy automation by running one CLI command!

✨ Create a new production-ready project with backend, frontend and deploy automation by running one CLI command!

Create Go App 1.6k Nov 19, 2022
Runc: a CLI tool for spawning and running containers on Linux according to the OCI specification

runc Introduction runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. This repo contains a lightly mod

Brian 0 Dec 16, 2021
K-Mesh is an experimental Knative distribution which provides a fresh, CLI-focused, holistic user experience of running and managing Knative.

K-Mesh is an experimental Knative distribution which provides a fresh, CLI-focused, holistic user experience of running and managing Knative. N

Ahmed Abdalla Abdelrehim 0 Feb 14, 2022
A CLI tool for running Go commands with colorized output

Goli Goli is a CLI Tool for running Go commands with colorized output. Note: Goli is still a WIP. It has very basic commands and limitations. Feel fre

Arthur Diniz 15 Jun 27, 2022
Clirunner - Package clirunner runs a legacy shell-style CLI as if a human were running it.

clirunner Package clirunner runs a legacy shell-style command-line interpreter (CLI) as if a human were running it. A shell-style CLI offers a prompt

Jeff Regan 0 Jan 4, 2022
The blackbean is a command tool for elasticsearch operations by using cobra.

The blackbean is a command tool for elasticsearch operations by using cobra. Besides, blackbean is the name of my lovely French bulldog.

null 23 Mar 3, 2022
sttr is command line software that allows you to quickly run various transformation operations on the string.

sttr is command line software that allows you to quickly run various transformation operations on the string.

Abhimanyu Sharma 60 Sep 21, 2021
A TUI multitool for day-to-day operations for software applications.

Bench (WIP) A TUI multitool for day-to-day operations for software applications. Lets you do common operations needed during IT work that are common e

null 1 Dec 5, 2021