This tool finds, parses and outputs X509 certificates stored in a Hashicorp Vault.
This tool deals directly with secrets in Vault and will iterate over and retrieve every secret your approle has access to. With this in mind, there are some security precautions to take before you run this script.
- You are communicating with Vault over HTTPS.
- You are running this on a secure machine, ideally your local machine. It's not recommended to run this in any CI environment as it may be insecure.
- Some debug options will print all secrets to stdout, ensure your environment does not store CLI output in any permanent storage.
- Your Vault service can handle at least (count of directories + secrets)*2 requests in quick succession.
This tool is not available on a package registry, so please clone this repository git clone https://github.com/godaddy/vault-cert-finder.git
before attempting to use it.
Ensure your approle does not have a limit on your token usage (token_num_uses
) as this tool will make many queries.
This tool requires various specific Vault policies.
To read mounts, you need
path "sys/mounts" {
capabilities = ["read"]
}
To read your KV secret engines, for each engine you need
path "my-secret-engine/*" {
capabilities = ["read", "list"]
}
This tool requires Node.js >=15.6.0
You will need to run yarn
to install required packages before the first time you run the tool.
yarn start --url https://myvaulthost.com --role my-role-id --secret my-secret-id
First build the image
docker build -t vault-cert-finder .
Now you can run the image. Depending on where the Vault you want to connect to lives, changes how you run the docker image.
docker run --rm --add-host host.docker.internal:host-gateway vault-cert-finder --url http://host.docker.internal:PORT --role myrole --secret mysecret
docker run --rm vault-cert-finder --url http://myvault.com --role myrole --secret mysecret
Option | Description | Required |
---|---|---|
--url |
The URL to your vault service | true |
--role |
Your approle role | true |
--secret |
Your approle secret | true |
--mountPoint |
Your approle mount point | false |
--mounts |
Comma seperated list of mounts you want to traverse (as opposed to all) | false |
Other forms of authentication are not yet available
To aid with development of this tool, you can create a .env
file and add DEBUG=
with a comma seperated list of values. Those values can be:
node-vault
- This relates to thenode-vault
package we use for interacting with vault. Enabling this will output all the HTTP requests we make to the Vault service.vault-cert-finder
- This relates to the debugging of this tool, enabling this will output what the script is doing and all secrets it finds.
- Will not find certificates stored in JSON secrets
- Only traverses over KV secret engines
- Only supports approle authentication