Add `-field` and `-format` to write command.

Fixes #1186

command/write.go

@@ -4,6 +4,7 @@ import (
 	"fmt"
 	"io"
 	"os"
+	"reflect"
 	"strings"
 
 	"github.com/hashicorp/vault/helper/kv-builder"
@@ -18,10 +19,11 @@ type WriteCommand struct {
 }
 
 func (c *WriteCommand) Run(args []string) int {
-	var format string
+	var field, format string
 	var force bool
 	flags := c.Meta.FlagSet("write", FlagSetDefault)
 	flags.StringVar(&format, "format", "table", "")
+	flags.StringVar(&field, "field", "", "")
 	flags.BoolVar(&force, "force", false, "")
 	flags.BoolVar(&force, "f", false, "")
 	flags.Usage = func() { c.Ui.Error(c.Help()) }
@@ -63,10 +65,34 @@ func (c *WriteCommand) Run(args []string) int {
 	}
 
 	if secret == nil {
-		c.Ui.Output(fmt.Sprintf("Success! Data written to: %s", path))
+		// Don't output anything if people aren't using the "human" output
+		if format == "table" {
+			c.Ui.Output(fmt.Sprintf("Success! Data written to: %s", path))
+		}
 		return 0
 	}
 
+	// Handle single field output
+	if field != "" {
+		if val, ok := secret.Data[field]; ok {
+			// c.Ui.Output() prints a CR character which in this case is
+			// not desired. Since Vault CLI currently only uses BasicUi,
+			// which writes to standard output, os.Stdout is used here to
+			// directly print the message. If mitchellh/cli exposes method
+			// to print without CR, this check needs to be removed.
+			if reflect.TypeOf(c.Ui).String() == "*cli.BasicUi" {
+				fmt.Fprintf(os.Stdout, val.(string))
+			} else {
+				c.Ui.Output(val.(string))
+			}
+			return 0
+		} else {
+			c.Ui.Error(fmt.Sprintf(
+				"Field %s not present in secret", field))
+			return 1
+		}
+	}
+
 	return OutputSecret(c.Ui, format, secret)
 }
 
@@ -94,17 +120,17 @@ Usage: vault write [options] path [data]
 
   Write data (secrets or configuration) into Vault.
 
-  Write sends data into Vault at the given path. The behavior of the write
-  is determined by the backend at the given path. For example, writing
-  to "aws/policy/ops" will create an "ops" IAM policy for the AWS backend
-  (configuration), but writing to "consul/foo" will write a value directly
-  into Consul at that key. Check the documentation of the logical backend
-  you're using for more information on key structure.
+  Write sends data into Vault at the given path. The behavior of the write is
+  determined by the backend at the given path. For example, writing to
+  "aws/policy/ops" will create an "ops" IAM policy for the AWS backend
+  (configuration), but writing to "consul/foo" will write a value directly into
+  Consul at that key. Check the documentation of the logical backend you're
+  using for more information on key structure.
 
-  Data is sent via additional arguments in "key=value" pairs. If value
-  begins with an "@", then it is loaded from a file. Write expects data in the
-	file to be in JSON format. If you want to start the value with a literal "@",
-	then prefix the "@" with a slash: "\@".
+  Data is sent via additional arguments in "key=value" pairs. If value begins
+  with an "@", then it is loaded from a file. Write expects data in the file to
+  be in JSON format. If you want to start the value with a literal "@", then
+  prefix the "@" with a slash: "\@".
 
 General Options:
 
@@ -116,6 +142,12 @@ Write Options:
                           specified. This allows writing to keys that do not
                           need or expect any fields to be specified.
 
+  -format=table           The format for output. By default it is a whitespace-
+                          delimited table. This can also be json or yaml.
+
+  -field=field            If included, the raw value of the specified field
+                          will be output raw to stdout.
+
 `
 	return strings.TrimSpace(helpText)
 }