This Bash script provides functionality to backup and restore secrets stored in HashiCorp Vault. It allows exporting secrets to a JSON file and importing them back into Vault when needed.
- Export Secrets: Recursively exports all secrets from a specified Vault path into a backup JSON file.
- Import Secrets: Restores secrets from a backup JSON file into Vault.
- Connection Check: Ensures that Vault is accessible before performing any operation.
- CLI Usage: Accepts Vault address, token, and secret engine path as command-line arguments.
- HashiCorp Vault CLI installed
jqinstalled for JSON processing- Access to a running Vault instance with valid authentication credentials
- Ensure that
vaultandjqare installed on your system. - Download the script and make it executable:
chmod +x vault_backup.sh
./vault_backup.sh -a <vault_address> -t <vault_token> -o <import|export> -p <secret_engine_path>-a: Vault address (e.g.,http://127.0.0.1:8200) (Required, can also be set viaVAULT_ADDRenvironment variable)-t: Vault token for authentication (Required, can also be set viaVAULT_TOKENenvironment variable)-o: Operation type (exportto backup secrets,importto restore secrets) (Required)-p: Secret engine path (Required)
./vault_backup.sh -a http://127.0.0.1:8200 -t s.1234567890abcdef -o export -p secret/data/This will export all secrets under secret/data/ and save them to vault_backup.json.
./vault_backup.sh -a http://127.0.0.1:8200 -t s.1234567890abcdef -o import -p secret/data/This will restore secrets from vault_backup.json into Vault under secret/data/.
- If Vault is unreachable, the script exits with an error.
- If the backup file is missing during import, the script exits with an error.
- If no secrets are found during import, the script warns and skips empty secrets.
This script is open-source and free to use under the MIT License.
Developed by Xig0n.
For issues or improvements, feel free to contribute!