No project description provided
Project description
Vault Migrate
A Python tool for migrating secrets between HashiCorp Vault instances, supporting KV (Key-Value) secrets engines with namespace and mount point mapping.
Features
- Migrate secrets between different Vault instances
- Support for Vault namespaces
- Flexible mount point and path prefix mapping
- Configurable TLS verification and custom CA bundles
- JSON-based configuration for reproducible migrations
Installation
Using pipx (Recommended)
pipx installs the tool in an isolated environment while making it globally available:
pipx install vault_migrate
Using uv
uv is a fast Python package installer:
# Install globally
uv tool install vault_migrate
Manual Installation
For development or manual installation:
# Clone the repository
git clone https://github.com/TheLonelyGhost/vault-migrate.git
cd vault-migrate
# Create a virtual environment
python -m venv .venv
source .venv/bin/activate # On Windows: .venv\Scripts\activate
# Install the package
pip install -e .
Usage
The vault-migrate command takes a single positional argument: the path to your migration configuration file (typically named migrate.json).
vault-migrate migrate.json
Or with a custom path:
vault-migrate /path/to/my-migration-config.json
Configuration
Create a migrate.json file with your migration configuration. Here's a complete example:
{
"settings": {
"source": {
"address": "https://vault-source.example.com:8200",
"token": "hvs.source-token-here",
"tls_verify": true,
"ca_bundle_path": "/path/to/source-ca-bundle.pem"
},
"target": {
"address": "https://vault-target.example.com:8200",
"token": "hvs.target-token-here",
"tls_verify": true,
"ca_bundle_path": "/path/to/target-ca-bundle.pem"
},
"mapping_file": "out/mapping.json",
"timeout": 10
},
"kv": [
{
"from": {
"namespace": "source-namespace",
"mount": "secret",
"path_prefix": "app/production"
},
"to": {
"namespace": "target-namespace",
"mount": "kv",
"path_prefix": "applications/prod"
}
},
{
"from": {
"namespace": "source-namespace",
"mount": "secret",
"path_prefix": "shared/credentials"
},
"to": {
"namespace": "target-namespace",
"mount": "kv",
"path_prefix": "shared/creds"
}
}
]
}
Configuration Schema
settings (required)
Global settings for the migration:
-
source(required): Source Vault connection configurationaddress(string, required): Vault server URLtoken(string, required): Vault authorization tokentls_verify(boolean, optional): Enable TLS verification (default:true)ca_bundle_path(string, optional): Path to custom CA certificate bundle
-
target(required): Target Vault connection configuration- Same fields as
source
- Same fields as
-
mapping_file(string, optional): Path to output mapping file (default:"out/mapping.json") -
timeout(integer, optional): Request timeout in seconds (default:10)
kv (optional)
Array of KV secrets engine mappings. Each mapping defines how secrets should be migrated from source to target:
-
from(required): Source locationnamespace(string, required): Source Vault namespacemount(string, required): Source KV mount pointpath_prefix(string, required): Source path prefix within the mount
-
to(required): Target locationnamespace(string, required): Target Vault namespacemount(string, required): Target KV mount pointpath_prefix(string, required): Target path prefix within the mount
Minimal Configuration Example
For a simple migration without namespaces or custom paths:
{
"settings": {
"source": {
"address": "https://vault-old.example.com:8200",
"token": "hvs.source-token"
},
"target": {
"address": "https://vault-new.example.com:8200",
"token": "hvs.target-token"
}
},
"kv": [
{
"from": {
"namespace": "",
"mount": "secret",
"path_prefix": ""
},
"to": {
"namespace": "",
"mount": "secret",
"path_prefix": ""
}
}
]
}
Requirements
- Python 3.10 or higher
- Network access to both source and target Vault instances
- Valid Vault tokens with appropriate permissions for reading and writing secrets
License
See LICENSE file for details.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file vault_migrate-0.1.8.tar.gz.
File metadata
- Download URL: vault_migrate-0.1.8.tar.gz
- Upload date:
- Size: 12.0 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: uv/0.11.3 {"installer":{"name":"uv","version":"0.11.3","subcommand":["publish"]},"python":null,"implementation":{"name":null,"version":null},"distro":{"name":"macOS","version":null,"id":null,"libc":null},"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":null}
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
5083d6a4b9ad939b3a2d026a326ceca4d1c46eaff381902a8541fff0e157c843
|
|
| MD5 |
19a35d90056574dc82c0f67ce19ce108
|
|
| BLAKE2b-256 |
debf1edf99bda116af1ef1d13589e4cbd9c836b65e9834640ace9cc6730e9893
|
File details
Details for the file vault_migrate-0.1.8-py3-none-any.whl.
File metadata
- Download URL: vault_migrate-0.1.8-py3-none-any.whl
- Upload date:
- Size: 12.6 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: uv/0.11.3 {"installer":{"name":"uv","version":"0.11.3","subcommand":["publish"]},"python":null,"implementation":{"name":null,"version":null},"distro":{"name":"macOS","version":null,"id":null,"libc":null},"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":null}
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
68ba355bcf96f16b4d30c0ee0e604f0b4cf014b89e4da6f1860be7bafdc4fe08
|
|
| MD5 |
6904ba7a7e0e189586a86a6d00cd627e
|
|
| BLAKE2b-256 |
df0102461c8314ff532024a8a630c61d861588e0e58773a4328b25e8b73e1776
|
