vault-search-replace.sh

#!/bin/bash

set -e

function replace {
    local readonly secret="$1"

    data="$(vault kv get -format=json -field=data "$secret")"
    updated=$(sed -e s/"$search"/"$replace"/g <(echo "$data"))

    if [ "$data" != "$updated" ]; then
        echo "Updating $secret"
        echo "$updated" | vault kv put "$secret" -
    fi
}

function traverse {
    local readonly path="$1"

    result=$(vault kv list -format=json "$path" 2>&1) || return

    for secret in $(echo "$result" | jq -r '.[]'); do
        if [[ "$secret" == */ ]]; then
            traverse "$path$secret"
        else
            replace "$path$secret"
        fi
    done
}

path="${1%"/"}/"
search="$2"
replace="$3"

traverse "$path"