Import¶
vkv import requires an engine path (--path) and will accepts vkvs YAML or JSON output (vkv export -f=yaml|json) either by invoking vkv import - (for STDIN) or by specifying a file (--file). vkv will create the specified path if the engine does not exist yet and will error if it does, unless --force is specified.
See the CLI Reference for more details on the supported flags and env vars.
Example Usage¶
> vkv export -p secret -f=yaml > secret_export.yaml
> vkv import -p copy --file=secret_export.yaml
reading secrets from secret_export.yaml
parsing secrets from YAML
writing secret "copy/admin"
writing secret "copy/demo"
writing secret "copy/sub/demo"
writing secret "copy/sub/sub2/demo"
successfully imported all secrets
result:
copy/
├── v1: admin
│ └── sub=********
├── v1: demo
│ └── foo=***
└── sub/
├── v1: demo
│ ├── demo=***********
│ ├── password=******
│ └── user=*****
└── sub2
└── v1: demo
├── admin=***
├── foo=***
├── password=********
└── user=****
Reading secrets from STDIN¶
The - in vkv import -, tells vkv do read data via STDIN. The idea of vkv import - is, in order to copy/mirror KV-v2 secrets or complete engines across different Vault Servers or Namespaces, you can simply pipe
vkvs output into the vkv import command:
# dont forget to use --show-values, otherwise the secrets will be uploaded masked.
vkv export -p <source> --show-values -f=yaml | vkv import - -p <destination>
A few notes:¶
<source>and<destination>dont have to be the root path of a secret engine, you also specify subpaths and copy them another secret engine.vkvwill error if the enabled secret engine already exist, you can use--forceto overwrite the destination engine, if the destination path contains a subpath (root/sub),vkvwill then insert the secrets to that specific directory
⚠️ vkv import can overwrite important secrets, always double check the commmand by using the dry-run mode (--dry-run) first