Zyborg.Vault

PowerShell bindings for HashiCorp Vault

View project on GitHub

Zyborg.Vault

PowerShell client bindings for HashiCorp Vault

Browse API Docs

Build status Powershellgallery Badge MyGet

About

The aim of this project is to provide a PowerShell module that provides cmdlets to interact with a HashiCorp Vault server in a natural way for PowerShell – the PowerShell wayTM.

The initial set of cmdlets is derived from the operations that are available from the official Vault CLI client. We define a mapping of CLI functions to PowerShell cmdlets here.

Status

The initial release of this project includes support for most commands found int the Vault CLI.

The cmdlets have been tested manually and verified to work properly against a Vault v7.x server. Automated testing will be added in a forthcoming release.

Any feedback is welcome!

Installation

The easiest way to get started is to install the latest published release from the PowerShell Gallery.

Install-Module -Name Zyborg.Vault

You can also get early access to pre-release builds.

Import-Module PowerShellGet
Register-PSRepository -Name "zyborg-stage" -SourceLocation "https://www.myget.org/F/zyborg-stage/api/v3/index.json"
Install-Module -Name "Zyborg.Vault" -Repository "zyborg-stage"

Vault Connection Profiles

One feature that this module includes that improves upon the official CLI is support for “Vault server connection profiles” or just profiles. This is a feature that allows a user to define connection attributes under a named profile, including the Vault server endpoint URL and an authentication token, which is then stored securely for a given user.

You can then reference the profiles instead of having to specify these settings on each cmdlet invocation or having to resort to the use of environment variables which is a less secure option. You can also define a default profile named default which will be used as the fallback if no other profile is specified explicitly.

Even when using a connection profile, you can override individual connection settings as parameters on each invocation.

You can use the following cmdlets to manage profiles:

  • Get-VltProfile
  • Set-VltProfile
  • New-VltAuth (when specifying the -SaveAs parameter)

Examples

Here we provide a few usage examples to get a feel for the cmdlets.

Example #1

Define a connection profile and use it in inquire about the setup of the Vault server.

PS C:\> Set-VltProfile my-vault -VaultAddress https://my-vault.contoso.local:8200 -VaultToken xxxx-yyyy-zzzz

PS C:\> Test-VltInstance -VaultProfile my-vault  ## This is used to verify Vault server is initialized
True
PS C:\> Get-VltStatus -VaultProfile my-vault


Sealed          : False
SecretThreshold : 3
SecretShares    : 5
Progress        : 0
Version         : 0.7.2
ClusterName     : ezs-vault-cluster-1
ClusterId       : a7f91311-dc25-91fb-1ed8-6bb530299a08
Nonce           :


PS C:\> Get-VltKeyStatus -VaultProfile my-vault

SequentialKeyNumber InstallTime
------------------- -----------
                  1 5/3/2017 12:56:10 PM +00:00


PS C:\> Get-VltAuthMounts -VaultProfile my-vault

AuthenticationPath BackendType Description
------------------ ----------- -----------
approle/           approle
okta/              okta
token/             token       token based credentials
user1/             userpass


PS C:\> Get-VltSecretMounts -VaultProfile my-vault

MountPoint BackendType Description                                             MountConfiguration
---------- ----------- -----------                                             ------------------
cubbyhole/ cubbyhole   per-token private secret storage                        VaultSharp.Backends.System.Models.Mou...
secret/    generic     generic secret storage                                  VaultSharp.Backends.System.Models.Mou...
secret2b/  generic                                                             VaultSharp.Backends.System.Models.Mou...
sys/       system      system endpoints used for control, policy and debugging VaultSharp.Backends.System.Models.Mou...

Example #2

Here we show a few typical use cases for working with secrets.

## This creates a new profile named 'default' that uses the same
## attributes as the existing profile 'my-profile' -- if not
## overridden, the 'default' profile will be used by default
PS C:\> Set-VltProfile default -VaultProfile my-profile

PS C:\> Get-VltDataList secret

Keys
----
{foo1, foo2, s1, s2...}


PS C:\> Get-VltDataList secret | select -ExpandProperty keys | select -First 3
foo1
foo2
s1


PS C:\> Write-VltData secret/foo3 -Data @{ k1="v1"; k2="v2" }
PS C:\> Read-VltData secret/foo3

Key Value
--- -----
k1  v1
k2  v2