Skip to main content

MIGRATE A VAULT

Preview the Migration

Use --dry-run to see what will be migrated without making changes.

swamp vault migrate my-secrets --to-type @swamp/aws-sm \
    --config '{"region": "us-east-1"}' --dry-run
INF vault·migrate Vault "my-secrets" ("local_encryption") has 2 secret(s).
INF vault·migrate Target: "AWS Secrets Manager" ("@swamp/aws-sm")
INF vault·migrate Dry run — no changes made.

Run the Migration

Remove --dry-run to execute.

swamp vault migrate my-secrets --to-type @swamp/aws-sm \
    --config '{"region": "us-east-1"}'

Secrets are copied to the target backend before the vault configuration is updated. If the copy fails mid-migration, the source vault is unchanged.

Verify

List the keys in the migrated vault and confirm a secret resolves.

swamp vault list-keys my-secrets
swamp vault read-secret my-secrets api-key --force

Annotations are preserved during migration if both the source and target providers support them.

See the Vaults reference for the full set of migrate options.

← PreviousUse 1PasswordNext →Set Up Background Autoupdating