I’d setup a new Vault/Consul cluster and use a Python script (or whatever language you prefer) and the HTTP API to read all keys from Consul and all secrets from Vault and copy them over to the new cluster. Depending on the amount of data, this can get a bit challenging, I know.
This also is a good opportunity to make sure all ACLs, secret engine configurations, roles, etc. can be applied in an automated way (e.g. using Terraform, Ansible, etc.).
You may also be able to use consul-backinator to assist with this backup and restore process.
I’ve never used this myself, and its not officially endorsed by HashiCorp, but it might be worth trying before you go down the route of writing your own KV backup client.
Thank you, blake. I should receive all keys that I have on this consul cluster using the following request, correct?
curl "http://<IP>:<port>/v1/kv/?keys=true"
But it returns an empty list. Now I have doubts if the vault cluster really uses the consul as storage backend, the vault.hcl file has a slightly different configuration from what I commonly used to:
Are ACLs enabled in your Consul environment? If so, you’ll want to issue the query with an token that has privileges to read the KV paths that you are trying to export. You can then provide that token in the API request using one of the supported authentication headers or as a query argument (https://www.consul.io/api-docs#authentication). For example:
That command will return an array of key names which are stored in Consul. If you want to include the values, you’ll want to just use the ?recurse query argument.