A tool to replicate secrets from one HashiCorp Vault or OpenBao instance to another.

When vault-sync starts, it does a full copy of the secrets from the source Vault instance to the destination Vault instance. Periodically, vault-sync does a full reconciliation to make sure all the destination secrets are up to date.

At the same time, you can manually enable the Socket Audit Device for the source Vault, so Vault will be sending audit logs to vault-sync. Using these audit logs, vault-sync keeps the secrets in the destination Vault up to date. Note that vault-sync does not create or delete the audit devices by itself.

It is possible to use the same Vault instance as the source and the destination. You can use this feature to replicate a "folder" of secrets to another "folder" on the same server. You need to specify different prefixes (src.prefix and dst.prefix) in the configuration file to make sure the source and the destination do not overlap.

• Only two Vault auth methods are supported: Token and AppRole
• Only secrets are replicated (specifically their latest versions)

Use the example to create your own configuration file. Instead of specifying secrets in the configuration file, you can use environment variables:

• For Token auth method:
  • VAULT_SYNC_SRC_TOKEN
  • VAULT_SYNC_DST_TOKEN
• For AppRole auth method:
  • VAULT_SYNC_SRC_ROLE_ID
  • VAULT_SYNC_SRC_SECRET_ID
  • VAULT_SYNC_DST_ROLE_ID
  • VAULT_SYNC_DST_SECRET_ID

A token or AppRole for the source Vault should have a policy that allows listing and reading secrets:

For KV secrets engine v1:

For KV secrets engine v2:

If the secrets engine mounted to a custom path instead of "secret", then replace "secret" above with the custom path.

To create a token for vault-sync for the source Vault:

To enable AppRole auth method and create AppRole for vault-sync for the source Vault:

Enabling audit log:

if you want to use the Vault audit device for vault-sync, then you need to create an audit device that always works. If you have only one audit device enabled, and it is not working (for example, vault-sync has terminated), then Vault will be unresponsive. Vault will not complete any requests until the audit device can write. If you have more than one audit device, then Vault will complete the request as long as one audit device persists the log. The simples way to create an audit device that always works:

Then, when vault-sync is running, create the audit device that will be sending audit logs to vault-sync:

The device name is vault-sync, use the same value as specified for id in the configuration file. For address, specify the external endpoint for vault-sync. Note that vault-sync should be running and accessible via the specified address, otherwise Vault will not create the audit device.

A token or AppRole for the source Vault should have a policy that allows operations on secrets:

For KV secrets engine v1:

For KV secrets engine v2:

If the secrets engine mounted to a custom path instead of "secret", then replace "secret" above with the custom path.

To create a token for vault-sync for the source Vault:

To enable AppRole auth method and create AppRole for vault-sync for the source Vault:

Command line options:

• --dry-run vault-sync shows all the changes it is going to make to the destination Vault, but does not do any actual changes.
• --once runs the full sync once, then exits.

Assuming your configuration file vault-sync.yaml is in the current directory:

When running vault-sync locally, specify environment variable SSL_CERT_FILE pointing to a PEM file with a certificate or certificates (see https://docs.openssl.org/3.1/man7/openssl-env/).

When running vault-sync in Kubernetes, first create a Kubernetes secret from the PEM file. For example:

Then specify the following Helm chart values: