Skip to content

KV store usage

Once logged in Vault you can start managing secrets.

Overview

  • Vault secrets are organized like a filesystem with directories and files. Files contains a list of key/values. The values being the secrets. The filesystem is called a "KV store" in Vault.

  • Depending on your Keycloak roles you will have different policies in Vault that will allow or deny the access to parts of the KV store.

  • Vault policies can define access of type list, read, update or delete on KV store paths.

  • The KV store starting path is kv/.

WebUI

Once log in Vault with the WebUI you can easily browse the KV store, display, create, modify or delete secrets.

CLI

To interact with some Vault KV stores with the CLI you can use the vault kv subcommand.

List secrets

Like an Unix system you can browse the contents of the KV store with vault kv list:

$ vault kv list kv/
Keys
----
concourse/

$ vault kv list kv/concourse
Keys
----
charlie/
delta/
echo/
global/
india/

$ vault kv list kv/concourse/charlie
Keys
----
caascad-kubernetes-charlie

Read the content of a secret

$ vault kv get kv/concourse/charlie/caascad-kubernetes-charlie
====== Metadata ======
Key              Value
---              -----
created_time     2021-07-16T09:46:01.917819293Z
deletion_time    n/a
destroyed        false
version          1

======== Data ========
Key             Value
---             -----
token           concourse-client-pipelines-charlie:XXXX
url             https://rancher.ocb-demo.caascad.com/k8s/clusters/c-f8lnt
...

Note

With the -format=json option you can get a json output which can be useful in scripts.

You can also use the -field option to only read the content of a specific key.

$ vault kv get -field=url kv/concourse/charlie/caascad-kubernetes-charlie
https://rancher.ocb-test01.caascad.com/k8s/clusters/c-f8lnt

Create a new secret

With vault kv put you can create or override existing secrets:

$ vault kv put kv/concourse/charlie/my-app foo=bar

$ vault kv get kv/concourse/charlie/my-app
Key             Value
---             -----
foo             bar

$ vault kv put kv/concourse/charlie/my-app db_password=very-sensitive-value

$ vault kv get kv/concourse/charlie/my-app
Key             Value
---             -----
db_password     very-sensitive-value

Note

In the example above, we lost foo key! kv put override the secret completely.

Update an existing secret

With vault kv patch you can add more values to some existing secret or override an existing value:

$ vault kv patch kv/concourse/charlie/my-app redis_password=another-sensitive-value

$ vault kv get kv/concourse/charlie/my-app
Key             Value
---             -----
db_password     very-sensitive-value
redis_password  another-sensitive-value

Note

In the example above, db_password is still there!

Delete a secret

To delete a secret use the vault kv delete command:

$ vault kv delete kv/concourse/charlie/my-secret
Success! Data deleted (if it existed) at: kv/concourse/charlie/my-app

Note

The KV store is versioned and a deleted secret can be undeleted with vault kv undelete

For more information about secrets versionning: https://learn.hashicorp.com/tutorials/vault/versioned-kv