GuyBarros · January 15, 2025 13:23
diff --git a/get_secret_count.sh b/get_secret_count.sh
 #!/bin/bash

 minutes=30 # Note that this script may take up to 30m to run, or longer if `minutes=30` was changed.

 # The count_secrets.sh script is intended to be used to query the sys/metrics endpoint of a Vault cluster and extract the
 # sum of all KV secrets counts across all namespaces.  This relies on the
 # https://developer.hashicorp.com/vault/docs/configuration/telemetry#usage_gauge_period configuration not being disabled,
 # and on
 # https://developer.hashicorp.com/vault/docs/configuration/telemetry#prometheus_retention_time not being set to 0.
 #
 # Running the script:
 # * ensure that `jq` and `awk` are available in the path
 # * set VAULT_ADDR to point to the active node of the cluster
 # * set VAULT_TOKEN if https://developer.hashicorp.com/vault/docs/configuration/listener/tcp#telemetry-parameters isn't
 #   set to allow unauthenticated metrics access; the token should have a policy that grants it read access to the path
 #   "sys/metrics".

 if [ "$(which jq)" == "" ]; then
    echo "Missing required dependency: jq" 1>&2
    exit 1
 fi

 if [ "$(which awk)" == "" ]; then
    echo "Missing required dependency: awk" 1>&2
    exit 1
 fi

 health=$(curl -sk $VAULT_ADDR/v1/sys/health)
 sealed=$(echo "$health" |jq .sealed)
 if [ "$sealed" = "true" ]; then
    echo "Vault is sealed" 1>&2
    exit 1
 elif [ "$sealed" != "false" ]; then
    echo "Test probe of cluster using $VAULT_ADDR/v1/sys/health did not return expected result."
    echo "Full output of 'curl $VAULT_ADDR/v1/sys/health' follows:"
    curl -sk $VAULT_ADDR/v1/sys/health
    exit 1
 fi

 leader=$(curl -sk $VAULT_ADDR/v1/sys/leader | jq -r .leader_address)
 if [ "$leader" != "" ]; then
  VAULT_ADDR=$leader
 fi

 set -e

 echo "Querying metrics from VAULT_ADDR=$VAULT_ADDR using VAULT_TOKEN env var."
 echo "Will try for up to $minutes minutes before giving up, since inmem metrics retention is usually low,"
 echo "and usage_gauge_period tends to be high."
 echo

 # Run for up to $minutes minutes before killing ourselves.
 pid=$$
 (sleep $(($minutes*60)); kill $pid)&
 trap "kill $?; echo; echo No secret count found in metrics 1>&2; exit 1" EXIT

 # Poll the metrics endpoint using $VAULT_ADDR/$VAULT_TOKEN
 while true; do
  count=$(curl -sk --header "X-Vault-Token: $VAULT_TOKEN" $VAULT_ADDR/v1/sys/metrics?format=prometheus |
    awk '/^vault_.*?secret_kv_count/{n+=$2} END{print n}')

  if [ "$count" != "" ]; then
      echo "Total kv secrets found: $count"
      break
  else
      echo -n .
  fi
  sleep 10
 done
	#!/bin/bash

	minutes=30 # Note that this script may take up to 30m to run, or longer if `minutes=30` was changed.

	# The count_secrets.sh script is intended to be used to query the sys/metrics endpoint of a Vault cluster and extract the
	# sum of all KV secrets counts across all namespaces. This relies on the
	# https://developer.hashicorp.com/vault/docs/configuration/telemetry#usage_gauge_period configuration not being disabled,
	# and on
	# https://developer.hashicorp.com/vault/docs/configuration/telemetry#prometheus_retention_time not being set to 0.
	#
	# Running the script:
	# * ensure that `jq` and `awk` are available in the path
	# * set VAULT_ADDR to point to the active node of the cluster
	# * set VAULT_TOKEN if https://developer.hashicorp.com/vault/docs/configuration/listener/tcp#telemetry-parameters isn't
	# set to allow unauthenticated metrics access; the token should have a policy that grants it read access to the path
	# "sys/metrics".

	if [ "$(which jq)" == "" ]; then
	echo "Missing required dependency: jq" 1>&2
	exit 1
	fi

	if [ "$(which awk)" == "" ]; then
	echo "Missing required dependency: awk" 1>&2
	exit 1
	fi

	health=$(curl -sk $VAULT_ADDR/v1/sys/health)
	sealed=$(echo "$health" \|jq .sealed)
	if [ "$sealed" = "true" ]; then
	echo "Vault is sealed" 1>&2
	exit 1
	elif [ "$sealed" != "false" ]; then
	echo "Test probe of cluster using $VAULT_ADDR/v1/sys/health did not return expected result."
	echo "Full output of 'curl $VAULT_ADDR/v1/sys/health' follows:"
	curl -sk $VAULT_ADDR/v1/sys/health
	exit 1
	fi

	leader=$(curl -sk $VAULT_ADDR/v1/sys/leader \| jq -r .leader_address)
	if [ "$leader" != "" ]; then
	VAULT_ADDR=$leader
	fi

	set -e

	echo "Querying metrics from VAULT_ADDR=$VAULT_ADDR using VAULT_TOKEN env var."
	echo "Will try for up to $minutes minutes before giving up, since inmem metrics retention is usually low,"
	echo "and usage_gauge_period tends to be high."
	echo

	# Run for up to $minutes minutes before killing ourselves.
	pid=$$
	(sleep $(($minutes*60)); kill $pid)&
	trap "kill $?; echo; echo No secret count found in metrics 1>&2; exit 1" EXIT

	# Poll the metrics endpoint using $VAULT_ADDR/$VAULT_TOKEN
	while true; do
	count=$(curl -sk --header "X-Vault-Token: $VAULT_TOKEN" $VAULT_ADDR/v1/sys/metrics?format=prometheus \|
	awk '/^vault_.*?secret_kv_count/{n+=$2} END{print n}')

	if [ "$count" != "" ]; then
	echo "Total kv secrets found: $count"
	break
	else
	echo -n .
	fi
	sleep 10
	done