operator import

The operator import command imports secrets from external systems in to Vault. Secrets with the same name at the same storage path will be overwritten upon import.

This is potentially a long-running process as the importer can be configured to read as many secrets as the import plan specified and from multiple external systems.

Examples

Execute an import config file named import.hcl to generate an import plan:

$ vault operator import -config import.hcl plan

Output:

-----------
Import plan
-----------
The following namespaces are missing:
* ns-1/

The following mounts are missing:
* ns1/mount-1

Secrets to be imported from the source "my-dest-1":
* secret1
* secret2
...

Configuration

The operator import command uses a dedicated configuration file to specify the source, destination, and mapping rules.

source_gcp {
  name = "my-gcp-source-1"
  credentials = "@/path/to/service-account-key.json"
}

destination_vault {
  name = "my-dest-1"
  address = "http://127.0.0.1:8200/"
  token = "root"
  namespace = "ns-1"
  mount = "mount-1"
}

mapping_passthrough {
  name = "my-map-1"
  source = "my-gcp-1"
  destination = "my-dest-1"
  priority = 1
}

Usage

The following flags are available for the operator import command.

-config (string: <required>) - Path to the import configuration HCL file.
auto-approve (bool: <false>) - Automatically skips the user-input requirement of "yes" when running the "apply" command.
auto-create (bool: <false>) - Automatically creates any missing namespaces and mounts when "running the "apply" command.
-log-level (string: "info") - Log verbosity level. Supported values (in order of descending detail) are trace, debug, info, warn, and error. This can also be specified via the VAULT_LOG_LEVEL environment variable.