| Name | vault-exodus JSON |
| Version |
0.1.3.1
JSON |
| download |
| home_page | None |
| Summary | A community-driven tool for migrating HashiCorp Vault secrets between KV engines (v1/v2). Use at your own RISK |
| upload_time | 2025-01-24 21:55:44 |
| maintainer | None |
| docs_url | None |
| author | None |
| requires_python | >=3.7 |
| license | MIT |
| keywords |
vault
hashicorp
migration
secrets
|
| VCS |
 |
| bugtrack_url |
|
| requirements |
No requirements were recorded.
|
| Travis-CI |
No Travis.
|
| coveralls test coverage |
No coveralls.
|
# Exodus
```
███████╗██╗ ██╗ ██████╗ ██████╗ ██╗ ██╗███████╗
██╔════╝╚██╗██╔╝██╔═══██╗██╔══██╗██║ ██║██╔════╝
█████╗ ╚███╔╝ ██║ ██║██║ ██║██║ ██║███████╗
██╔══╝ ██╔██╗ ██║ ██║██║ ██║██║ ██║╚════██║
███████╗██╔╝ ██╗╚██████╔╝██████╔╝╚██████╔╝███████║
╚══════╝╚═╝ ╚═╝ ╚═════╝ ╚═════╝ ╚═════╝ ╚══════╝
```
# Exodus
A Python tool for migrating secrets between HashiCorp Vault clusters. Supports copying secrets from KV v1/v2 mounts between Vault instances.
> **Disclaimer**: This is not an official HashiCorp tool. Community-created project for Vault secrets migration. Use at your own risk.
## Features
- KV v1 and v2 mount support
- Recursive secret listing with subpath preservation
- Optional root path modifications
- Dry-run mode for operation preview
- Configurable rate limiting
- Vault Enterprise namespace support
- Flexible SSL/TLS verification with CA certificates
## Installation
```bash
pip install vault-exodus # Latest version
pip install vault-exodus==0.1.1 # Specific version
```
### Requirements
- Python 3.7+ (Recommended)
- Requests
- tqdm
Dependencies are automatically installed via pip.
## Usage
### CLI
```bash
exodus [OPTIONS]
```
#### Key Arguments
| Argument | Description | Default |
|----------|-------------|---------|
| `--vault-a-addr` | Source Vault URL | http://localhost:8200 |
| `--vault-a-token` | Source Vault token | Required |
| `--vault-a-mount` | Source KV mount name | secret |
| `--vault-a-path-root` | Source root path | myapp |
| `--vault-b-addr` | Destination Vault URL | http://localhost:8200 |
| `--vault-b-token` | Destination Vault token | Required |
| `--vault-b-mount` | Destination KV mount name | secret |
| `--vault-b-path-root` | Destination root path | myapp-copied |
[View complete arguments table in documentation]
### Example
```bash
exodus \
--vault-a-addr="https://source-vault.example.com" \
--vault-a-token="s.ABCD1234" \
--vault-a-mount="secret" \
--vault-a-path-root="myapp" \
--vault-a-namespace="admin" \
--vault-a-kv-version="2" \
--vault-b-addr="https://destination-vault.example.com" \
--vault-b-token="s.EFGH5678" \
--vault-b-mount="secret" \
--vault-b-path-root="myapp-copied" \
--vault-b-kv-version="2" \
--rate-limit=0.5 \
--dry-run
```
### Python Library Usage
```python
#!/usr/bin/env python3
from exodus.kv_migrator import list_secrets, read_secret, write_secret
from tqdm import tqdm
import time
import logging
logging.basicConfig(
level=logging.INFO,
format="%(asctime)s [%(levelname)s] %(message)s"
)
def simple_migrate(
src_addr, src_token, src_mount, src_root, src_kv_version, src_namespace,
dst_addr, dst_token, dst_mount, dst_root, dst_kv_version, dst_namespace,
dry_run=False, rate_limit=1.0
):
logging.info(f"Listing secrets in '{src_root}' from {src_addr} (KV v{src_kv_version})")
secret_paths = list_secrets(
vault_addr=src_addr,
token=src_token,
mount=src_mount,
path=src_root,
kv_version=src_kv_version,
namespace=src_namespace,
verify=False
)
logging.info(f"Found {len(secret_paths)} secrets to copy")
failed_copies = []
for spath in tqdm(secret_paths, desc="Copying secrets"):
try:
data = read_secret(
vault_addr=src_addr,
token=src_token,
mount=src_mount,
path=spath,
kv_version=src_kv_version,
namespace=src_namespace,
verify=False
)
if not data:
logging.debug(f"No data for '{spath}'; skipping")
continue
if spath.startswith(src_root + "/"):
relative = spath[len(src_root)+1:]
dpath = f"{dst_root}/{relative}"
else:
dpath = f"{dst_root}/{spath}"
if dry_run:
logging.info(f"[Dry Run] Would copy '{spath}' -> '{dpath}'")
else:
write_secret(
vault_addr=dst_addr,
token=dst_token,
mount=dst_mount,
path=dpath,
secret_data=data,
kv_version=dst_kv_version,
namespace=dst_namespace,
verify=False
)
logging.info(f"Copied '{spath}' -> '{dpath}'")
if rate_limit > 0:
time.sleep(rate_limit)
except Exception as e:
failed_copies.append((spath, str(e)))
logging.error(f"Failed to copy '{spath}': {e}")
if failed_copies:
logging.error("\nSome secrets failed to copy:")
for path, error in failed_copies:
logging.error(f" - {path}: {error}")
def main():
# Example usage
simple_migrate(
src_addr="http://localhost:8200",
src_token="root",
src_mount="secret",
src_root="myapp",
src_kv_version="2",
src_namespace="admin",
dst_addr="http://localhost:8200",
dst_token="root",
dst_mount="secret",
dst_root="myapp-copied",
dst_kv_version="2",
dst_namespace="admin",
dry_run=True
)
if __name__ == "__main__":
main()
```
## Best Practices
- Test migrations with `--dry-run` before production use
- Increase `--rate-limit` for large datasets
- Use appropriate CA certificates in secure environments
- Verify token permissions (read on source, write on destination)
## Contributing
Contributions welcome! Please feel free to submit pull requests or issues on GitHub.
## License
MIT License. See [LICENSE](LICENSE) file for details.
Again, note: This is not an official HashiCorp tool. It is a community-driven script created to help anyone needing to migrate secrets between Vault instances. Always confirm it meets your security and compliance requirements before use. Use it at your own risk.
Raw data
{
"_id": null,
"home_page": null,
"name": "vault-exodus",
"maintainer": null,
"docs_url": null,
"requires_python": ">=3.7",
"maintainer_email": null,
"keywords": "vault, hashicorp, migration, secrets",
"author": null,
"author_email": "AndyLow <memebotandres@gmail.com>",
"download_url": "https://files.pythonhosted.org/packages/f0/53/10a0fd3697648be4f264a433f1ee3bc82b378f646719294d5c8540eced74/vault_exodus-0.1.3.1.tar.gz",
"platform": null,
"description": "# Exodus\n\n```\n\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557\u2588\u2588\u2557 \u2588\u2588\u2557 \u2588\u2588\u2588\u2588\u2588\u2588\u2557 \u2588\u2588\u2588\u2588\u2588\u2588\u2557 \u2588\u2588\u2557 \u2588\u2588\u2557\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557\n\u2588\u2588\u2554\u2550\u2550\u2550\u2550\u255d\u255a\u2588\u2588\u2557\u2588\u2588\u2554\u255d\u2588\u2588\u2554\u2550\u2550\u2550\u2588\u2588\u2557\u2588\u2588\u2554\u2550\u2550\u2588\u2588\u2557\u2588\u2588\u2551 \u2588\u2588\u2551\u2588\u2588\u2554\u2550\u2550\u2550\u2550\u255d\n\u2588\u2588\u2588\u2588\u2588\u2557 \u255a\u2588\u2588\u2588\u2554\u255d \u2588\u2588\u2551 \u2588\u2588\u2551\u2588\u2588\u2551 \u2588\u2588\u2551\u2588\u2588\u2551 \u2588\u2588\u2551\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557\n\u2588\u2588\u2554\u2550\u2550\u255d \u2588\u2588\u2554\u2588\u2588\u2557 \u2588\u2588\u2551 \u2588\u2588\u2551\u2588\u2588\u2551 \u2588\u2588\u2551\u2588\u2588\u2551 \u2588\u2588\u2551\u255a\u2550\u2550\u2550\u2550\u2588\u2588\u2551\n\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557\u2588\u2588\u2554\u255d \u2588\u2588\u2557\u255a\u2588\u2588\u2588\u2588\u2588\u2588\u2554\u255d\u2588\u2588\u2588\u2588\u2588\u2588\u2554\u255d\u255a\u2588\u2588\u2588\u2588\u2588\u2588\u2554\u255d\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2551\n\u255a\u2550\u2550\u2550\u2550\u2550\u2550\u255d\u255a\u2550\u255d \u255a\u2550\u255d \u255a\u2550\u2550\u2550\u2550\u2550\u255d \u255a\u2550\u2550\u2550\u2550\u2550\u255d \u255a\u2550\u2550\u2550\u2550\u2550\u255d \u255a\u2550\u2550\u2550\u2550\u2550\u2550\u255d\n```\n# Exodus\n\nA Python tool for migrating secrets between HashiCorp Vault clusters. Supports copying secrets from KV v1/v2 mounts between Vault instances.\n\n> **Disclaimer**: This is not an official HashiCorp tool. Community-created project for Vault secrets migration. Use at your own risk.\n\n## Features\n\n- KV v1 and v2 mount support\n- Recursive secret listing with subpath preservation\n- Optional root path modifications\n- Dry-run mode for operation preview\n- Configurable rate limiting\n- Vault Enterprise namespace support\n- Flexible SSL/TLS verification with CA certificates\n\n## Installation\n\n```bash\npip install vault-exodus # Latest version\npip install vault-exodus==0.1.1 # Specific version\n```\n\n### Requirements\n- Python 3.7+ (Recommended)\n- Requests\n- tqdm\n\nDependencies are automatically installed via pip.\n\n## Usage\n\n### CLI\n\n```bash\nexodus [OPTIONS]\n```\n\n#### Key Arguments\n\n| Argument | Description | Default |\n|----------|-------------|---------|\n| `--vault-a-addr` | Source Vault URL | http://localhost:8200 |\n| `--vault-a-token` | Source Vault token | Required |\n| `--vault-a-mount` | Source KV mount name | secret |\n| `--vault-a-path-root` | Source root path | myapp |\n| `--vault-b-addr` | Destination Vault URL | http://localhost:8200 |\n| `--vault-b-token` | Destination Vault token | Required |\n| `--vault-b-mount` | Destination KV mount name | secret |\n| `--vault-b-path-root` | Destination root path | myapp-copied |\n\n[View complete arguments table in documentation]\n\n### Example\n\n```bash\nexodus \\\n --vault-a-addr=\"https://source-vault.example.com\" \\\n --vault-a-token=\"s.ABCD1234\" \\\n --vault-a-mount=\"secret\" \\\n --vault-a-path-root=\"myapp\" \\\n --vault-a-namespace=\"admin\" \\\n --vault-a-kv-version=\"2\" \\\n --vault-b-addr=\"https://destination-vault.example.com\" \\\n --vault-b-token=\"s.EFGH5678\" \\\n --vault-b-mount=\"secret\" \\\n --vault-b-path-root=\"myapp-copied\" \\\n --vault-b-kv-version=\"2\" \\\n --rate-limit=0.5 \\\n --dry-run\n```\n\n### Python Library Usage\n\n```python\n#!/usr/bin/env python3\nfrom exodus.kv_migrator import list_secrets, read_secret, write_secret\nfrom tqdm import tqdm\nimport time\nimport logging\n\nlogging.basicConfig(\n level=logging.INFO,\n format=\"%(asctime)s [%(levelname)s] %(message)s\"\n)\n\ndef simple_migrate(\n src_addr, src_token, src_mount, src_root, src_kv_version, src_namespace,\n dst_addr, dst_token, dst_mount, dst_root, dst_kv_version, dst_namespace,\n dry_run=False, rate_limit=1.0\n):\n logging.info(f\"Listing secrets in '{src_root}' from {src_addr} (KV v{src_kv_version})\")\n \n secret_paths = list_secrets(\n vault_addr=src_addr,\n token=src_token,\n mount=src_mount,\n path=src_root,\n kv_version=src_kv_version,\n namespace=src_namespace,\n verify=False\n )\n\n logging.info(f\"Found {len(secret_paths)} secrets to copy\")\n failed_copies = []\n \n for spath in tqdm(secret_paths, desc=\"Copying secrets\"):\n try:\n data = read_secret(\n vault_addr=src_addr,\n token=src_token,\n mount=src_mount,\n path=spath,\n kv_version=src_kv_version,\n namespace=src_namespace,\n verify=False\n )\n if not data:\n logging.debug(f\"No data for '{spath}'; skipping\")\n continue\n \n if spath.startswith(src_root + \"/\"):\n relative = spath[len(src_root)+1:]\n dpath = f\"{dst_root}/{relative}\"\n else:\n dpath = f\"{dst_root}/{spath}\"\n \n if dry_run:\n logging.info(f\"[Dry Run] Would copy '{spath}' -> '{dpath}'\")\n else:\n write_secret(\n vault_addr=dst_addr,\n token=dst_token,\n mount=dst_mount,\n path=dpath,\n secret_data=data,\n kv_version=dst_kv_version,\n namespace=dst_namespace,\n verify=False\n )\n logging.info(f\"Copied '{spath}' -> '{dpath}'\")\n \n if rate_limit > 0:\n time.sleep(rate_limit)\n \n except Exception as e:\n failed_copies.append((spath, str(e)))\n logging.error(f\"Failed to copy '{spath}': {e}\")\n\n if failed_copies:\n logging.error(\"\\nSome secrets failed to copy:\")\n for path, error in failed_copies:\n logging.error(f\" - {path}: {error}\")\n\ndef main():\n # Example usage\n simple_migrate(\n src_addr=\"http://localhost:8200\",\n src_token=\"root\",\n src_mount=\"secret\", \n src_root=\"myapp\",\n src_kv_version=\"2\",\n src_namespace=\"admin\",\n dst_addr=\"http://localhost:8200\",\n dst_token=\"root\",\n dst_mount=\"secret\",\n dst_root=\"myapp-copied\",\n dst_kv_version=\"2\",\n dst_namespace=\"admin\",\n dry_run=True\n )\n\nif __name__ == \"__main__\":\n main()\n```\n\n## Best Practices\n\n- Test migrations with `--dry-run` before production use\n- Increase `--rate-limit` for large datasets\n- Use appropriate CA certificates in secure environments\n- Verify token permissions (read on source, write on destination)\n\n## Contributing\n\nContributions welcome! Please feel free to submit pull requests or issues on GitHub.\n\n## License\n\nMIT License. See [LICENSE](LICENSE) file for details.\n\nAgain, note: This is not an official HashiCorp tool. It is a community-driven script created to help anyone needing to migrate secrets between Vault instances. Always confirm it meets your security and compliance requirements before use. Use it at your own risk.\n",
"bugtrack_url": null,
"license": "MIT",
"summary": "A community-driven tool for migrating HashiCorp Vault secrets between KV engines (v1/v2). Use at your own RISK",
"version": "0.1.3.1",
"project_urls": {
"Source Code": "https://github.com/andylow92/exodus",
"Tracker": "https://github.com/andylow92/exodus/issues"
},
"split_keywords": [
"vault",
" hashicorp",
" migration",
" secrets"
],
"urls": [
{
"comment_text": null,
"digests": {
"blake2b_256": "ba99a10e07a400369a54d207b9b26af5af1c06c8ac018fe424c180f3b50460df",
"md5": "21a8607a296bf6ac63b1f964cabf0ba1",
"sha256": "c7b23b9f9574e6410c0483f3a1d97fea2cd489b2f18cba02ae0b39a71a5e2d1a"
},
"downloads": -1,
"filename": "vault_exodus-0.1.3.1-py3-none-any.whl",
"has_sig": false,
"md5_digest": "21a8607a296bf6ac63b1f964cabf0ba1",
"packagetype": "bdist_wheel",
"python_version": "py3",
"requires_python": ">=3.7",
"size": 8544,
"upload_time": "2025-01-24T21:55:43",
"upload_time_iso_8601": "2025-01-24T21:55:43.140678Z",
"url": "https://files.pythonhosted.org/packages/ba/99/a10e07a400369a54d207b9b26af5af1c06c8ac018fe424c180f3b50460df/vault_exodus-0.1.3.1-py3-none-any.whl",
"yanked": false,
"yanked_reason": null
},
{
"comment_text": null,
"digests": {
"blake2b_256": "f05310a0fd3697648be4f264a433f1ee3bc82b378f646719294d5c8540eced74",
"md5": "4065f2231d6ce31146bd5c2ac471c75e",
"sha256": "cb1450128f3fc1ac8778834e425b97078ac01cdee17a89b04dc5440379caf873"
},
"downloads": -1,
"filename": "vault_exodus-0.1.3.1.tar.gz",
"has_sig": false,
"md5_digest": "4065f2231d6ce31146bd5c2ac471c75e",
"packagetype": "sdist",
"python_version": "source",
"requires_python": ">=3.7",
"size": 9159,
"upload_time": "2025-01-24T21:55:44",
"upload_time_iso_8601": "2025-01-24T21:55:44.918777Z",
"url": "https://files.pythonhosted.org/packages/f0/53/10a0fd3697648be4f264a433f1ee3bc82b378f646719294d5c8540eced74/vault_exodus-0.1.3.1.tar.gz",
"yanked": false,
"yanked_reason": null
}
],
"upload_time": "2025-01-24 21:55:44",
"github": true,
"gitlab": false,
"bitbucket": false,
"codeberg": false,
"github_user": "andylow92",
"github_project": "exodus",
"travis_ci": false,
"coveralls": false,
"github_actions": false,
"lcname": "vault-exodus"
}
