Vault: Add a read-field option to vault, returning a single value (not a dict)

Created on 12 Jan 2016  路  5Comments  路  Source: hashicorp/vault

vault read returns all values in a secret. Often, I want to query only a particular field.

I suggest adding an option 'vault read-field' or something that only prints the secret value, unquoted. Take for example my example implementation in bash/jq:

read-field secret/prod/mysql:password

#!/bin/bash
# read-field: read only a particular field from a vault secret map. 
#
# dependencies: jq 1.5
#!/bin/bash

SECRET_KEY=$1
SECRET=$(echo $SECRET_KEY | cut -s -d: -f1)
KEY=$(echo $SECRET_KEY | cut -s -d: -f2)
if [ -z "$SECRET" ] || [ -z "$KEY" ]; then
    echo "need argument of the form 'your/vault/key:field'" >&2
    exit 1
fi
JSON_FIELD=$(vault read --format=json "$SECRET" | jq ".data[\"$KEY\"]" )
if [ "$JSON_FIELD" == "null" ]; then
    exit 1
fi
# strip "" from json string value
echo $JSON_FIELD | sed 's/^"//' | sed 's/"$//'
picture feliksik

Most helpful comment

In case anyone runs into this, the docs don't really explain how to use -read, the proper incantation is:

vault read -field YOUR_KEY_NAME secret/path/to/your/key

-read has to come before the path, otherwise it gives you cryptic errors depending on if you do -field=FIELD vs -field FIELD

picture AndrewRayCode on 12 Jun 2019
👍6

All 5 comments

Hi @feliksik ,

You can use the -field option to vault read to get just the value of the specified field.

Let us know if that doesn't solve the problem for you!

jefferai picture jefferai on 12 Jan 2016
👍1

Perfect! Didn't see that option.

Thanks

feliksik picture feliksik on 12 Jan 2016

Is there any way to achieve the same behavouir using the HTTP API?

padmapriyanitt picture padmapriyanitt on 24 Jan 2018

The CLI uses the HTTP API; that option simply reads the JSON, parses out the desired field, and displays only that. Vault doesn't filter responses on the server side, though.

jefferai picture jefferai on 24 Jan 2018

In case anyone runs into this, the docs don't really explain how to use -read, the proper incantation is:

vault read -field YOUR_KEY_NAME secret/path/to/your/key

-read has to come before the path, otherwise it gives you cryptic errors depending on if you do -field=FIELD vs -field FIELD

AndrewRayCode picture AndrewRayCode on 12 Jun 2019
👍6
Was this page helpful?
0 / 5 - 0 ratings

Related issues

passwordleak picture passwordleak  路  3Comments
gtmtech picture gtmtech  路  3Comments
frntn picture frntn  路  3Comments
maxsivanov picture maxsivanov  路  3Comments
dwdraju picture dwdraju  路  3Comments