cruepprich · October 15, 2021 15:04
diff --git a/manage_oci_vault_secrets.sh b/manage_oci_vault_secrets.sh
 export VAULT_OCID=ocid1.vault.oc1.iad.xxx           # Edit as needed
 export COMPARTMENT_OCID=ocid1.compartment.oc1..xxx  # Edit as needed
 export KEY_OCID=ocid1.key.oc1.iad.xxx               # Edit as needed
 export PASSWORD=$(openssl rand -base64 32 | base64) # See http://bit.ly/gen-pwd
 export SECRET_NAME="my_secret-demo"
 export VAULT_USER_PROFILE="VAULT_USER"              # OCI CLI Profile

 # See a list of vaults in a compartment
 oci kms management vault list \
    --profile $VAULT_USER_PROFILE \
    -c $COMPARTMENT_OCID \
    --query "data[].{id:id,state:\"lifecycle-state\",name:\"display-name\"}" \
    --output table

 # Example Output
 +------------------------+------------+--------+
 | id                     | name       | state  |
 +------------------------+------------+--------+
 | ocid1.vault.oc1.phx.xxx| my-vault   | ACTIVE |
 +------------------------+------------+--------+

 # Create secret
 oci vault secret create-base64 \
    --profile $VAULT_USER_PROFILE \
    -c $COMPARTMENT_OCID \
    --secret-name $SECRET_NAME \
    --vault-id $VAULT_OCID \
    --key-id $KEY_OCID \
    --secret-content-content $PASSWORD

 # Get secret ocid
 export SECRET_OCID=$(oci vault secret list --raw-output --query "data[?\"secret-name\" == '$SECRET_NAME'].id | [0]")

 # List secret versions
 oci secrets secret-bundle-version list-versions \
    --profile $VAULT_USER_PROFILE \
    --all \
    --secret-id $SECRET_OCID \
    --query "data[].{\"version-number\":\"version-number\",\"stages\":\"stages\"}" \
    --output table

 # Example Output
 +-----------------------+----------------+
 | stages                | version-number |
 +-----------------------+----------------+
 | ['CURRENT', 'LATEST'] | 6              |
 | ['PREVIOUS']          | 5              |
 | ['DEPRECATED']        | 4              |
 | ['DEPRECATED']        | 3              |
 | ['DEPRECATED']        | 2              |
 | ['DEPRECATED']        | 1              |
 +-----------------------+----------------+


 # Get secret decoded text
 oci secrets secret-bundle get \
    --profile $VAULT_USER_PROFILE \
    --raw-output \
    --secret-id $SECRET_OCID \
    --query "data.\"secret-bundle-content\".content" | base64 -D


 # Get secret decoded text for prior version
 oci secrets secret-bundle get \
    --profile $VAULT_USER_PROFILE \
    --raw-output \
    --version-number 1 \
    --secret-id $SECRET_OCID \
    --query "data.\"secret-bundle-content\".content" | base64 -D


 # Update a secret
 oci vault secret update-base64 \
    --profile $VAULT_USER_PROFILE \
    --secret-id $SECRET_OCID \
    --force \
    --secret-content-content $(openssl rand -base64 32 | base64)


 # Delete a secret. Time must be at least 24 hours in the future
 oci vault secret schedule-secret-deletion \
    --secret-id $SECRET_OCID \
    --time-of-deletion 2020-09-03T10:20-0600


 # Cancel secret deletion
 oci vault secret cancel-secret-deletion \
    --secret-id $SECRET_OCID


 # List secrets
 oci vault secret list \
    --profile $VAULT_USER_PROFILE \
    -c $COMPARTMENT_OCID \
    --query "data[].{id:id,\"secret-name\":\"secret-name\",state:\"lifecycle-state\",\"time-of-deletion\":\"time-of-deletion\"}" \
    --output table

 # Example Output
 +-------------------------------+----------------+------------------+---------------------------+
 | ocid1.vaultsecret.oc1.iad.xxx | secret5        | ACTIVE           | None                      |
 | ocid1.vaultsecret.oc1.iad.xxx | secret4        | PENDING_DELETION | 2020-09-03T16:20:00+00:00 |
 | ocid1.vaultsecret.oc1.iad.xxx | my_secret      | ACTIVE           | None                      |
 | ocid1.vaultsecret.oc1.iad.xxx | cmr-secret3    | ACTIVE           | None                      |
 | ocid1.vaultsecret.oc1.iad.xxx | cmr-secret1    | ACTIVE           | None                      |
 | ocid1.vaultsecret.oc1.iad.xxx | cmr-apache-pvt | ACTIVE           | None                      |
 | ocid1.vaultsecret.oc1.iad.xxx | cat_manga      | ACTIVE           | None                      |
 +-------------------------------+----------------+------------------+---------------------------+
	export VAULT_OCID=ocid1.vault.oc1.iad.xxx # Edit as needed
	export COMPARTMENT_OCID=ocid1.compartment.oc1..xxx # Edit as needed
	export KEY_OCID=ocid1.key.oc1.iad.xxx # Edit as needed
	export PASSWORD=$(openssl rand -base64 32 \| base64) # See http://bit.ly/gen-pwd
	export SECRET_NAME="my_secret-demo"
	export VAULT_USER_PROFILE="VAULT_USER" # OCI CLI Profile

	# See a list of vaults in a compartment
	oci kms management vault list \
	--profile $VAULT_USER_PROFILE \
	-c $COMPARTMENT_OCID \
	--query "data[].{id:id,state:\"lifecycle-state\",name:\"display-name\"}" \
	--output table

	# Example Output
	+------------------------+------------+--------+
	\| id \| name \| state \|
	+------------------------+------------+--------+
	\| ocid1.vault.oc1.phx.xxx\| my-vault \| ACTIVE \|
	+------------------------+------------+--------+

	# Create secret
	oci vault secret create-base64 \
	--profile $VAULT_USER_PROFILE \
	-c $COMPARTMENT_OCID \
	--secret-name $SECRET_NAME \
	--vault-id $VAULT_OCID \
	--key-id $KEY_OCID \
	--secret-content-content $PASSWORD

	# Get secret ocid
	export SECRET_OCID=$(oci vault secret list --raw-output --query "data[?\"secret-name\" == '$SECRET_NAME'].id \| [0]")

	# List secret versions
	oci secrets secret-bundle-version list-versions \
	--profile $VAULT_USER_PROFILE \
	--all \
	--secret-id $SECRET_OCID \
	--query "data[].{\"version-number\":\"version-number\",\"stages\":\"stages\"}" \
	--output table

	# Example Output
	+-----------------------+----------------+
	\| stages \| version-number \|
	+-----------------------+----------------+
	\| ['CURRENT', 'LATEST'] \| 6 \|
	\| ['PREVIOUS'] \| 5 \|
	\| ['DEPRECATED'] \| 4 \|
	\| ['DEPRECATED'] \| 3 \|
	\| ['DEPRECATED'] \| 2 \|
	\| ['DEPRECATED'] \| 1 \|
	+-----------------------+----------------+


	# Get secret decoded text
	oci secrets secret-bundle get \
	--profile $VAULT_USER_PROFILE \
	--raw-output \
	--secret-id $SECRET_OCID \
	--query "data.\"secret-bundle-content\".content" \| base64 -D


	# Get secret decoded text for prior version
	oci secrets secret-bundle get \
	--profile $VAULT_USER_PROFILE \
	--raw-output \
	--version-number 1 \
	--secret-id $SECRET_OCID \
	--query "data.\"secret-bundle-content\".content" \| base64 -D


	# Update a secret
	oci vault secret update-base64 \
	--profile $VAULT_USER_PROFILE \
	--secret-id $SECRET_OCID \
	--force \
	--secret-content-content $(openssl rand -base64 32 \| base64)


	# Delete a secret. Time must be at least 24 hours in the future
	oci vault secret schedule-secret-deletion \
	--secret-id $SECRET_OCID \
	--time-of-deletion 2020-09-03T10:20-0600


	# Cancel secret deletion
	oci vault secret cancel-secret-deletion \
	--secret-id $SECRET_OCID


	# List secrets
	oci vault secret list \
	--profile $VAULT_USER_PROFILE \
	-c $COMPARTMENT_OCID \
	--query "data[].{id:id,\"secret-name\":\"secret-name\",state:\"lifecycle-state\",\"time-of-deletion\":\"time-of-deletion\"}" \
	--output table

	# Example Output
	+-------------------------------+----------------+------------------+---------------------------+
	\| ocid1.vaultsecret.oc1.iad.xxx \| secret5 \| ACTIVE \| None \|
	\| ocid1.vaultsecret.oc1.iad.xxx \| secret4 \| PENDING_DELETION \| 2020-09-03T16:20:00+00:00 \|
	\| ocid1.vaultsecret.oc1.iad.xxx \| my_secret \| ACTIVE \| None \|
	\| ocid1.vaultsecret.oc1.iad.xxx \| cmr-secret3 \| ACTIVE \| None \|
	\| ocid1.vaultsecret.oc1.iad.xxx \| cmr-secret1 \| ACTIVE \| None \|
	\| ocid1.vaultsecret.oc1.iad.xxx \| cmr-apache-pvt \| ACTIVE \| None \|
	\| ocid1.vaultsecret.oc1.iad.xxx \| cat_manga \| ACTIVE \| None \|
	+-------------------------------+----------------+------------------+---------------------------+