Export

Vault++ supports exporting secrets to various formats tailored for different infrastructure platforms.

JSON

To export secrets into JSON format, you can use the --output=json option. For example:

# vpp export --help
# Usage: vpp export [options] <file>

# For JSON:
#   -o, --output json
#   -e, --env <env>                     target environment
#   --include <includePrefix...>        only export secrets that match provided prefix, for example --include CI_
#   --exclude <excludePrefix...>        exclude secrets that match provided prefix from being exported, for example --exclude CI_

vpp export --exclude=CI_ --output=json --env=staging secrets.json

YAML

To export secrets into YAML format, you can use the --output=yaml option. For example:

# vpp export --help
# Usage: vpp export [options] <file>

# For YAML:
#   -o, --output yaml
#   -e, --env <env>                     target environment
#   --include <includePrefix...>        only export secrets that match provided prefix, for example --include
#                                       CI_
#   --exclude <excludePrefix...>        exclude secrets that match provided prefix from being exported, for
#                                       example --exclude CI_
#   --yaml-template <template>          [OPTIONAL] YAML template used to create YAML file
#   --yaml-key <path>                   [OPTIONAL] YAML Key to insert the config in YAML template, for
#                                       example: data/env


vpp export --exclude=CI_ --output=yaml --env=staging secrets.yml

## Example with template
vpp export --exclude=CI_ --output=yaml --yaml-template=template.yml --yaml-key='app/secrets' --env=staging secrets.yml

You can provide an optional template using the --yaml-template flag. If specified, the secrets will be placed in the location defined by the --yaml-key flag.

Kubernetes

To export secrets into Kubernetes Secret format, you can use the --output=k8s option. You need to provide the Kubernetes Secret name using the --k8s-secret-name flag. For example:

# vpp export --help
# Usage: vpp export [options] <file>

# For Kubernetes:
#   -o, --output k8s
#   -e, --env <env>                     target environment
#   --include <includePrefix...>        only export secrets that match provided prefix, for example --include CI_
#   --exclude <excludePrefix...>        exclude secrets that match provided prefix from being exported, for example --exclude CI_
#   --k8s-secret-name <name>            Kubernetes secret name
#   --k8s-secret-namespace <namespace>  Optional Kubernetes secret namespace

vpp export --exclude=CI_ --output=k8s --k8s-secret-name=my-api-secret --env=staging secrets.yaml

If you want to use a custom Kubernetes Secret template, you can export to YAML format and load your custom template instead.

The resulting YAML file can be imported into Kubernetes clusters by running the following command:

kubectl apply -f secrets.yaml

Fly.io

To export secrets for the fly secrets import command, use the --output=fly.io flag. For example:

# vpp export --help
# Usage: vpp export [options] <file>

# For Fly.io:
#   -o, --output fly.io
#   -e, --env <env>                     target environment
#   --include <includePrefix...>        only export secrets that match provided prefix, for example --include CI_
#   --exclude <excludePrefix...>        exclude secrets that match provided prefix from being exported, for example --exclude CI_

vpp export --exclude=CI_ --output=fly.io --env=staging secrets.flyio

Once exported, you can import the secrets into your Fly.io app using the following command:

fly secrets import < secrets.flyio

GitHub

To export secrets to be used in GitHub Action steps, use the --output=github format. For example:

# vpp export --help
# Usage: vpp export [options] <file>

# For GitHub:
#   -o, --output github
#   -e, --env <env>                     target environment
#   --include <includePrefix...>        only export secrets that match provided prefix, for example --include CI_
#   --exclude <excludePrefix...>        exclude secrets that match provided prefix from being exported, for example --exclude CI_

vpp export --include CI_ --output=github --env=staging $GITHUB_OUTPUT # or $GITHUB_ENV

The $GITHUB_OUTPUT and $GITHUB_ENV are environment variables automatically exported by GitHub Actions in your pipeline.

$GITHUB_OUTPUT is used to set output values that can be accessed by subsequent steps in the workflow using. For example:

steps:
  - id: vpp
    run: vpp export --include CI_ --output=github -e${{ inputs.environment || 'staging' }} $GITHUB_OUTPUT
    env:
      VPP_SERVICE_ACCOUNT_KEY: ${{ secrets.VPP_SERVICE_ACCOUNT_KEY }}
      VPP_SERVICE_ACCOUNT_PASSWORD: ${{ secrets.VPP_SERVICE_ACCOUNT_PASSWORD }}

  - uses: "google-github-actions/auth@v2"
    with:
      credentials_json: "${{ steps.vpp.outputs.CI_GOOGLE_CREDENTIALS }}"

$GITHUB_ENV is used to set environment variables that will be available to all subsequent steps. For example:

steps:
  - id: vpp
    run: vpp export --include CI_ --output=github -e${{ inputs.environment || 'staging' }} $GITHUB_ENV
    env:
      VPP_SERVICE_ACCOUNT_KEY: ${{ secrets.VPP_SERVICE_ACCOUNT_KEY }}
      VPP_SERVICE_ACCOUNT_PASSWORD: ${{ secrets.VPP_SERVICE_ACCOUNT_PASSWORD }}

  # $CI_PULUMI_TOKEN env var is from the VPP step.
  - run: PULUMI_TOKEN=$CI_PULUMI_TOKEN pulumi login

Shell

To export secrets as environment variables in the active shell, you can use the --output=shell option. Once exported, you can load the exported secrets into your shell. For example:

bash / sh / zsh
fish
powershell

# vpp export --help
# Usage: vpp export [options] <file>

# For Shell:
#   -o, --output shell
#   -e, --env <env>                     target environment
#   --include <includePrefix...>        only export secrets that match provided prefix, for example --include CI_
#   --exclude <excludePrefix...>        exclude secrets that match provided prefix from being exported, for example --exclude CI_

vpp export --include CI_ --output=shell --env=staging secrets.sh

source secrets.sh

echo $CI_AWS_ACCESS_KEY_ID # this will be available

# vpp export --help
# Usage: vpp export [options] <file>

# For Shell:
#   -o, --output shell
#   -e, --env <env>                     target environment
#   --include <includePrefix...>        only export secrets that match provided prefix, for example --include CI_
#   --exclude <excludePrefix...>        exclude secrets that match provided prefix from being exported, for example --exclude CI_

vpp export --include CI_ --output=shell --env=staging secrets.fish

source secrets.fish

echo $CI_AWS_ACCESS_KEY_ID # this will be available

# vpp export --help
# Usage: vpp export [options] <file>

# For Shell:
#   -o, --output shell
#   -e, --env <env>                     target environment
#   --include <includePrefix...>        only export secrets that match provided prefix, for example --include CI_
#   --exclude <excludePrefix...>        exclude secrets that match provided prefix from being exported, for example --exclude CI_

vpp export --include CI_ --output=shell --env=staging secrets.ps1

./secrets.ps1

echo $env:CI_AWS_ACCESS_KEY_ID

Pulumi

To export secrets to be used in Pulumi stack, you can use the --output=pulumi option. For example:

bash / sh / zsh
fish
powershell

# vpp export --help
# Usage: vpp export [options] <file>

# For Pulumi:
#   -o, --output pulumi
#   -e, --env <env>                     target environment
#   --include <includePrefix...>        only export secrets that match provided prefix, for example --include CI_
#   --exclude <excludePrefix...>        exclude secrets that match provided prefix from being exported, for example --exclude CI_

vpp export --exclude=CI_ --output=pulumi --env=staging pulumi-config.sh

# pulumi-config.sh contains 'pulumi config set-all' command to set pulumi config
bash pulumi-config.sh

pulumi up -y

# vpp export --help
# Usage: vpp export [options] <file>

# For Pulumi:
#   -o, --output pulumi
#   -e, --env <env>                     target environment
#   --include <includePrefix...>        only export secrets that match provided prefix, for example --include CI_
#   --exclude <excludePrefix...>        exclude secrets that match provided prefix from being exported, for example --exclude CI_

vpp export --exclude=CI_ --output=pulumi --env=staging pulumi-config.fish

# pulumi-config.fish contains 'pulumi config set-all' command to set pulumi config
fish pulumi-config.fish

pulumi up -y

# vpp export --help
# Usage: vpp export [options] <file>

# For Pulumi:
#   -o, --output pulumi
#   -e, --env <env>                     target environment
#   --include <includePrefix...>        only export secrets that match provided prefix, for example --include CI_
#   --exclude <excludePrefix...>        exclude secrets that match provided prefix from being exported, for example --exclude CI_

vpp export --exclude=CI_ --output=pulumi --env=staging pulumi-config.ps1

# pulumi-config.ps1 contains 'pulumi config set-all' command to set pulumi config
pwsh pulumi-config.ps1

pulumi up -y

JSON​

YAML​

Kubernetes​

Fly.io​

GitHub​

Shell​

Pulumi​