Bash script to enumerate all Hasicorp Vault secrets by traversing all directories available to each key provided in the 'keys' file, and attempting to get them.

vault-grabber.sh

#!/bin/bash

# Set the Vault address and token
export VAULT_ADDR=https://vault:9200/
export VAULT_FORMAT=json

touch2() {
  mkdir -p "$(dirname "$1")" && touch "$1.data"
}

# Function to list all keys in a path
list_keys() {
  local path=$1

  # Get a list of all the key-value pairs in the path
  keys=$(vault kv list "${path}")

  # Loop through each key-value pair and check if it exists
  for key in $(echo "${keys}" | jq -r '.[]' | grep -Ev "/$"  | sed 's/\/$//'); do
    if YES=$(vault kv get "${path}${key}"  2>/dev/null) ; then
      touch2 "${path}${key}"
      echo "$YES" > "${path}${key}.data"
      echo "${path}${key} exists and is readable."
    fi
  done
}

# Recursive function to enumerate all subdirectories
enumerate_dirs() {
  local dir=$1

  # List all keys in the current directory
  list_keys "${dir}"

  # Recursively enumerate all subdirectories
  subdirs=$(vault kv list "${dir}" | jq -r '.[]' | grep -v '\.$')
  for subdir in ${subdirs}; do
    enumerate_dirs "${dir}${subdir}"
  done
}

export -f list_keys
export -f enumerate_dirs
export -f touch2

# Start the enumeration from the root directory
for k in $(cat keys); do
  export VAULT_TOKEN=$k
  echo Now grabbing vault from $(vault token lookup | grep username | awk -F'"' '{print $4}')
  for j in kv secret ssh; do
    for i in $(vault kv list $j/ | jq -r '.[]' | grep -v '\.$'); do
      echo enumerate_dirs "$j/$i"
    done
  done | parallel --gnu -j20 --delay 0.1 --line-buffer
  unset VAULT_TOKEN
done