jonasvinther · volkorny · Jan 27, 2025
diff --git a/cmd/cmd.go b/cmd/cmd.go
@@ -85,6 +85,7 @@ func init() {
 	rootCmd.PersistentFlags().StringP("kubernetes-auth-path", "", "", "Authentication mount point within Vault for Kubernetes")
 	rootCmd.PersistentFlags().BoolP("insecure", "k", false, "Allow insecure server connections when using SSL")
 	rootCmd.PersistentFlags().StringP("namespace", "n", "", "Namespace within the Vault server (Enterprise only)")
+	rootCmd.PersistentFlags().IntP("sleep", "s", 0, "Number of milliseconds to sleep after each operation to avoid rate limits")
 
 	// AutomaticEnv makes Viper load environment variables
 	viper.AutomaticEnv()

diff --git a/cmd/delete.go b/cmd/delete.go
@@ -31,6 +31,7 @@ var deleteCmd = &cobra.Command{
 		namespace, _ := cmd.Flags().GetString("namespace")
 		engineType, _ := cmd.Flags().GetString("engine-type")
 		isApproved, _ := cmd.Flags().GetBool("auto-approve")
+		sleepMillis, _ := cmd.Flags().GetInt("sleep")
 
 		// Setup Vault client
 		client := vaultengine.NewClient(vaultAddr, vaultToken, insecure, namespace, vaultRole, kubernetes, authPath)
@@ -44,7 +45,7 @@ var deleteCmd = &cobra.Command{
 		client.SetEngineType(engineType)
 
 		// Recursive delete
-		secretPaths, err := client.CollectPaths(path)
+		secretPaths, err := client.CollectPaths(path, sleepMillis)
 		if err != nil {
 			return err
 		}

diff --git a/cmd/export.go b/cmd/export.go
@@ -39,6 +39,7 @@ var exportCmd = &cobra.Command{
 		exportFormat, _ := cmd.Flags().GetString("format")
 		output, _ := cmd.Flags().GetString("output")
 		keysOnly, _ := cmd.Flags().GetBool("display-keys-only")
+		sleepMillis, _ := cmd.Flags().GetInt("sleep")
 
 		client := vaultengine.NewClient(vaultAddr, vaultToken, insecure, namespace, vaultRole, kubernetes, authPath)
 		engine, path, err := client.MountpathSplitPrefix(path)
@@ -50,7 +51,7 @@ var exportCmd = &cobra.Command{
 		client.UseEngine(engine)
 		client.SetEngineType(engineType)
 
-		exportData, err := client.FolderExport(path)
+		exportData, err := client.FolderExport(path, sleepMillis)
 		if err != nil {
 			fmt.Println(err)
 			return err

diff --git a/pkg/vaultengine/folder_export.go b/pkg/vaultengine/folder_export.go
@@ -3,17 +3,18 @@ package vaultengine
 import (
 	"fmt"
 	"strings"
+	"time"
 )
 
 // Folder defines a level of the Vault structure
 type Folder map[string]interface{}
 
 // FolderExport will export all subfolders and secrets from a specified location
-func (client *Client) FolderExport(path string) (Folder, error) {
+func (client *Client) FolderExport(path string, sleepMillis int) (Folder, error) {
 	baseFolder := make(Folder)
 	subFolders := make(Folder)
 
-	err := client.PathReader(&subFolders, path)
+	err := client.PathReader(&subFolders, path, sleepMillis)
 	if err != nil {
 		return nil, err
 	}
@@ -50,8 +51,9 @@ func buildFolderStructure(parentFolder *Folder, parts []string, subFolders Folde
 }
 
 // PathReader recursively reads the provided path and all subpaths
-func (client *Client) PathReader(parentFolder *Folder, path string) error {
-	folder, err := client.FolderRead(path)
+func (client *Client) PathReader(parentFolder *Folder, path string, sleepMillis int) error {
+
+	folder, err := client.FolderRead(path, sleepMillis)
 	if err != nil {
 		return err
 	}
@@ -64,11 +66,15 @@ func (client *Client) PathReader(parentFolder *Folder, path string) error {
 			subFolder := make(Folder)
 			keyName := strings.Replace(strKey, "/", "", -1)
 
-			err = client.PathReader(&subFolder, newPath)
+			err = client.PathReader(&subFolder, newPath, sleepMillis)
 			if err != nil {
 				return err
 			}
 
+			if sleepMillis > 0 {
+				time.Sleep(time.Duration(sleepMillis) * time.Millisecond)
+			}
+
 			if (*parentFolder)[keyName] != nil {
 				for key, elem := range (*parentFolder)[keyName].(map[string]interface{}) {
 					subFolder[key] = elem
@@ -77,10 +83,16 @@ func (client *Client) PathReader(parentFolder *Folder, path string) error {
 			(*parentFolder)[keyName] = subFolder
 		} else {
 			s := client.SecretRead(newPath)
+
+			if sleepMillis > 0 {
+				time.Sleep(time.Duration(sleepMillis) * time.Millisecond)
+			}
+
 			if len(s) > 0 {
 				(*parentFolder)[strKey] = s
 			}
 		}
+
 	}
 
 	return nil

diff --git a/pkg/vaultengine/folder_read.go b/pkg/vaultengine/folder_read.go
@@ -2,10 +2,11 @@ package vaultengine
 
 import (
 	"fmt"
+	"time"
 )
 
-//FolderRead reads the subpaths and secrets of the provided path
-func (client *Client) FolderRead(path string) ([]interface{}, error) {
+// FolderRead reads the subpaths and secrets of the provided path
+func (client *Client) FolderRead(path string, sleepMillis int) ([]interface{}, error) {
 	infix := "/metadata/"
 
 	if client.engineType == "kv1" {
@@ -19,6 +20,10 @@ func (client *Client) FolderRead(path string) ([]interface{}, error) {
 		return nil, err
 	}
 
+	if sleepMillis > 0 {
+		time.Sleep(time.Duration(sleepMillis) * time.Millisecond)
+	}
+
 	if secret == nil {
 		return nil, fmt.Errorf("no keys found using path [%s] on Vault instance [%s]", finalPath, client.addr)
 	}

diff --git a/pkg/vaultengine/secret_delete.go b/pkg/vaultengine/secret_delete.go
@@ -8,9 +8,9 @@ import (
 )
 
 // CollectPaths will retrieve all paths to secrets defined under the given path
-func (client *Client) CollectPaths(path string) ([]string, error) {
+func (client *Client) CollectPaths(path string, sleepMillis int) ([]string, error) {
 	var secretPaths []string
-	folder, err := client.FolderRead(path)
+	folder, err := client.FolderRead(path, sleepMillis)
 	if err != nil {
 		return nil, err
 	}
@@ -21,7 +21,7 @@ func (client *Client) CollectPaths(path string) ([]string, error) {
 		newPath = CleanupPath(newPath)
 
 		if IsFolder(strKey) {
-			t, err := client.CollectPaths(newPath)
+			t, err := client.CollectPaths(newPath, sleepMillis)
 			secretPaths = append(secretPaths, t...)
 			if err != nil {
 				return nil, err