vsh
is an interactive HashiCorp Vault shell and cli tool. It comes with multiple common operations and treats paths like directories and files.
Core features are:
- recursive operations on paths for many operations, e.g.,
cp
,rm
,mv
- search with
grep
(substring or regular-expression) - substitute patterns in keys and/or values (substring or regular-expression) with
replace
- transparency towards differences between KV1 and KV2, i.e., you can freely move/copy secrets between both
- non-interactive mode for automation (
vsh -c "<cmd>"
) - merging keys with different strategies through
append
brew install vsh
nix-env -i vsh
Download latest static binaries from release page.
- add adds a single key and value to a path
- append merges secrets with different strategies (allows recursive operation on paths)
- cat shows the key/value pairs of a path
- cd allows interactive navigation through the paths
- cp copies secrets from one location to another (allows recursive operation on paths)
- grep searches for substrings or regular expressions (allows recursive operation on paths)
- ls shows the subpaths of a given path
- mv moves secrets from one location to another (allows recursive operation on paths)
- replace substrings or regular expressions (allows recursive operation on paths)
- rm removes secret(s) (allows recursive operation on paths)
In order to get a valid token, vsh
uses vault's TokenHelper mechanism.
That means vsh
supports setting vault tokens via ~/.vault-token
, VAULT_TOKEN
and external token-helper.
Add tls certificate for server by setting VAULT_CACERT
environment variable to the pem
certificate path.
vsh
requires List
permission on the operated paths.
This is necessary to determine if a path points to a node or leaf in the path tree.
Further, it is needed to gather auto-completion data.
Commands which alter the data like cp
or mv
, additionally require Read
and Write
permissions on the operated paths.
In order to reliably discover all available backends, ideally the vault token used by vsh
has List
permission on sys/mount
. However, this is not a hard requirement.
If the token doesn't have List
permission on sys/mount
, then vsh
does not know the available backends beforehand.
That means initially there won't be path auto-completion on the top (backend) level.
Regardless, vsh
will try with best-effort strategy to reliably determine the kv version of every entered path.
export VAULT_ADDR=http://localhost:8080
export VAULT_TOKEN=root
export VAULT_PATH=secret/ # VAULT_PATH is optional
./vsh
http://localhost:8080 /secret/>
Note: the given token is used for auto-completion, i.e., List()
queries are done with that token, even if you do not rm
or mv
anything.
vsh
caches List()
results to reduce the amount of queries. However, after execution of each command the cache is cleared
in order to do accurate tab-completion.
If your token has a limited number of uses, then consider using the non-interactive mode or toggle auto-completion off, to avoid List()
queries.
To reduce the number of queries against vault, you can disable path auto-completion in 2 ways:
- Disable at start time:
./vsh --disable-auto-completion
- Toggle inside interactive mode:
./vsh
http://localhost:8080 /secret/> toggle-auto-completion
Use path auto-completion: false
http://localhost:8080 /secret/> toggle-auto-completion
Use path auto-completion: true
export VAULT_ADDR=<addr>
export VAULT_TOKEN=<token>
./vsh -c "rm secret/dir/to/remove/"
Working on vault secrets can be critical, making quality and correct behavior a first class citizen for vsh
.
That being said, vsh
is still a small open source project, meaning we cannot give any guarantees.
However, we put strong emphasis on test-driven development.
Every PR is tested with an extensive suite of integration tests.
Vast majority of tests run on KV1 and KV2 and every test runs against vault 1.13.4
and 1.16.2
, i.e., vault versions in between are likely to be compatible too.
vsh
is at your own risk. We do not hold any responsibility and do not give any guarantees.
Contributions in any form are always welcome! Without contributions from the community, vsh
wouldn't be the tool it is today.
Requirements:
golang
(>= v1.21
)docker
for integration testingmake
for simplified commands
make compile
make get-bats
make integration-tests
-v DEBUG
sets debug log level, which also creates a vsh_trace.log
file to log any error object from the vault API.