A script to copy Vault secrets from one path to another

vault-cp

#!/usr/bin/env bash

# ensure we were given two command line arguments
if [[ $# -ne 2 ]]; then
	echo 'usage: vault-cp SOURCE DEST' >&2
	exit 1
fi

source=$1
dest=$2

# check for dependencies
if ! command -v jq > /dev/null; then
	echo 'vault-cp: required command "jq" was not found' >&2
	exit 1
fi

# check for existing values; this is ugly, but
# the `vault read` command always exits with 0
source_json=$(vault read -format=json "$source" 2>&1)
if [[ $source_json == "No value found at $source" ]]; then
	echo "$source_json" >&2
	exit 1
fi

source_data=$(echo "$source_json" | jq '.data')
[[ -n $DEBUG ]] && printf '%s\n' "$source_data"

dest_check=$(vault read "$dest" 2>&1 1> /dev/null)
if [[ $dest_check != "No value found at $dest" ]]; then
	overwrite='n'
	printf 'Destination "%s" already exists...overwrite? [y/N] ' "$dest"
	read -r overwrite

	# only overwrite if user explicitly confirms
	if [[ ! $overwrite =~ ^[Yy]$ ]]; then
		echo 'vault-cp: copying has been aborted' >&2
		exit 1
	fi
fi

echo "$source_data" | vault write "$dest" -

JFYI, working on a "poor man's" secrets replication for Vault: https://github.com/pbchekin/vault-sync

preserving versions:

for i in $(vault kv metadata get -format=json $old_location | jq '.data.versions|keys|join("\n")' -r) ; do
    vault kv get -version=$i -format=json -field=data $old_location | vault kv put $new_location -; done