A collection of CLI tools for managing HashiCorp Vault.
Project description
Vault Management Toolkit 🧰
A collection of CLI tools for managing, comparing, migrating, and rolling out HashiCorp Vault clusters, with support for OIDC authentication and Kubernetes rollouts.
Features
- Secure OIDC Authentication for Vault clusters
- Detailed Secret Comparison between Vault instances
- Full RAFT Snapshot Migration with selective overrides
- Kubernetes Rollout Management for Vault clusters
- CLI entry point:
vault-mgmt
Installation
Using pip (recommended)
pip install .
# or for development
pip install -e .
CLI Usage
The toolkit provides a unified CLI:
vault-mgmt [command] [options]
All commands support --help for more options.
Authentication
OIDC is the default (interactive) auth method. You can also use Kubernetes auth for non-interactive runs.
Kubernetes auth (non-interactive)
vault-mgmt compare \
--source-vault-addr ... \
--destination-vault-addr ... \
--source-auth-method kubernetes \
--source-auth-mount k8s-cluster-a \
--source-auth-role vault-read \
--dest-auth-method kubernetes \
--dest-auth-mount k8s-cluster-b \
--dest-auth-role vault-write
YAML auth config
source:
method: kubernetes
mount: k8s-cluster-a
role: vault-read
jwt_path: /var/run/secrets/kubernetes.io/serviceaccount/token
destination:
method: kubernetes
mount: k8s-cluster-b
role: vault-write
rollout:
method: oidc
role: my-oidc-role
Use it with --auth-config path/to/auth.yml. CLI args and env vars override the file.
Env var prefixes:
VAULT_SRC_*for source (compare/sync)VAULT_DST_*for destination (compare/sync)VAULT_*for rollout
Keys: AUTH_METHOD, AUTH_MOUNT, AUTH_ROLE, AUTH_JWT_PATH.
Example Workflows
Compare Vaults
vault-mgmt compare --source-vault-addr ... --destination-vault-addr ... --mount-point secret --base-path app --output-file differences.csv
Sync Vaults with Overrides
vault-mgmt sync --source-vault-addr ... --destination-vault-addr ... --override-secrets differences.csv
Kubernetes Rollout
vault-mgmt rollout vault-namespace --vault-addr ... --kube-context ... --strict
The --strict flag exits non-zero when rollout steps time out instead of continuing.
The OIDC browser callback listener binds to 127.0.0.1 and waits up to 5 minutes for the auth response.
Development
- Testing:
pytest
- Linting:
ruff check .
- Tox:
tox
Dependencies
| Package | Version | Description |
|---|---|---|
hvac |
2.3.0 | Python client for HashiCorp Vault API |
kubernetes |
33.1.0 | Python client for Kubernetes API |
requests |
2.32.4 | Elegant HTTP library (dependency of hvac) |
tqdm |
4.67.1 | Progress bar for loops and iterables |
certifi |
2025.6.15 | Mozilla's root certificates for SSL/TLS |
charset-normalizer |
3.4.2 | Character set/encoding detection |
idna |
3.10 | Internationalized Domain Names in Applications |
urllib3 |
2.5.0 | HTTP client for Python (dependency of requests) |
Project Structure
vault_mgmt/— Main package with CLI and submodules:cli.py— CLI entry pointcompare.py— Vault comparison logicsync.py— Vault migration/sync logicrollout.py— Kubernetes rollout logicmanager.py— Shared management utilities
Links
License
GPL-3.0-only. See LICENSE.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file vault_mgmt-1.1.2.tar.gz.
File metadata
- Download URL: vault_mgmt-1.1.2.tar.gz
- Upload date:
- Size: 30.8 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.7
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
137eab1458afb0c22af3fb43137e1d7bc595398280dd25c12705746068aeb73e
|
|
| MD5 |
2d11898a96b3e22a520deafb34e0e6f6
|
|
| BLAKE2b-256 |
b4ce5144dda45418a4b2da139199e83afc9257b62617d4cad1ead1bc739fb340
|
Provenance
The following attestation bundles were made for vault_mgmt-1.1.2.tar.gz:
Publisher:
release.yml on jbouse/vault-mgmt
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
vault_mgmt-1.1.2.tar.gz -
Subject digest:
137eab1458afb0c22af3fb43137e1d7bc595398280dd25c12705746068aeb73e - Sigstore transparency entry: 871395721
- Sigstore integration time:
-
Permalink:
jbouse/vault-mgmt@05509c48bbc380bc197c8d9bfd3f23398bfccb9b -
Branch / Tag:
refs/heads/main - Owner: https://github.com/jbouse
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
release.yml@05509c48bbc380bc197c8d9bfd3f23398bfccb9b -
Trigger Event:
push
-
Statement type:
File details
Details for the file vault_mgmt-1.1.2-py3-none-any.whl.
File metadata
- Download URL: vault_mgmt-1.1.2-py3-none-any.whl
- Upload date:
- Size: 28.1 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.7
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
6f03998885e359dd79c2e012dbc41d14e0597fdbb5029258f3ca359301400ae1
|
|
| MD5 |
fe98d41ea2eb6a6c0115216cce3e510c
|
|
| BLAKE2b-256 |
3c1f62e14d6b8c24e2b75ce829fba1bebc807deac6bbaeffdcb06a65c2327122
|
Provenance
The following attestation bundles were made for vault_mgmt-1.1.2-py3-none-any.whl:
Publisher:
release.yml on jbouse/vault-mgmt
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
vault_mgmt-1.1.2-py3-none-any.whl -
Subject digest:
6f03998885e359dd79c2e012dbc41d14e0597fdbb5029258f3ca359301400ae1 - Sigstore transparency entry: 871395723
- Sigstore integration time:
-
Permalink:
jbouse/vault-mgmt@05509c48bbc380bc197c8d9bfd3f23398bfccb9b -
Branch / Tag:
refs/heads/main - Owner: https://github.com/jbouse
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
release.yml@05509c48bbc380bc197c8d9bfd3f23398bfccb9b -
Trigger Event:
push
-
Statement type: