nebtex / vault-migrator Goto Github PK

I have vault backed by consul which I am migrating to filesystem for backup purposes.

If my vault kv has a key named foo and a folder named _foo... both want to become _foo on the filesystem so I get a _foo is a directory error when running vault-migrator.

Since vault is okay with foo and _foo, is there some way to configure the consul file backend to make it handle this case? Do you have any advice that isn't: "don't do that, silly!" :-)

My config.json for vault-migrator --config config.json:

$ cat backup.json
{
    "to": {
        "name": "file",
        "config": {
            "path": "/Users/jar349/projects/vault-backups/data"
        }
    },
    "from": {
        "name": "consul",
        "config": {
            "address": "localhost:8500",
            "path": "vault/"
        }
    }
}

The term 'Moving' is bit scary 😃 which gives the impression that the migrator deleting keys from source backend.

Values seem to properly migrate from consul to another consul end point (attempting to create a DR by leveraging copying from a consul cluster to another consul node - and starting a vault instance against that node).

When bringing up a vault node against the copy, the vault can be unsealed but a leader can't be established. Have tried vault 0.7.0 and 0.10.x

The exporting functionality does seem to work as expected however a new vault instance can't be used against the replicated set.

Do certain values have to be removed from consul to address this? I have attempted to delete the leader data and lock from /vault/core.

When those vaults are removed the following errors are constantly thrown when the vault is unsealed.

[ERROR] core: failed to read auth table: error="decryption failed: cipher: message authentication failed"
[INFO ] core: pre-seal teardown starting
[INFO ] core: pre-seal teardown complete
[ERROR] core: post-unseal setup failed: error="failed to setup auth table"
[INFO ] core: acquired lock, enabling active operation
[INFO ] core: post-unseal setup starting
[INFO ] core: loaded wrapping token key
[INFO ] core: successfully setup plugin catalog: plugin-directory=
[INFO ] core: successfully mounted backend: type=kv path=secret/
[INFO ] core: successfully mounted backend: type=system path=sys/
[INFO ] core: successfully mounted backend: type=identity path=identity/
[INFO ] core: successfully mounted backend: type=cubbyhole path=cubbyhole/
[ERROR] core: failed to read auth table: error="decryption failed: cipher: message authentication failed"

Hi Team,

I have an existing Vault environment which is using dynamoDB as a backend and LDAP as an auth backend, it is using one ROOT key and 4 secrets.

I am migrating the dynamodb db to our new environment, new environment has consul as a backend
and Okta as an auth backend, it is using one ROOT key and 1 secrets key. After the migration, my auth backend, cluster config, RooT key, secrets key are getting overwritten.

How can i prevent that?

Hello,

I wanted to check whether it is possible to migrate vault data from a Vault community edition backed by Consul to Enterprise Vault + HSM backed by Consul.

I'm looking to only migrate secrets.