Check if secret exists before querying Vault

Dear HashiCorp community,

I am looking for a way to check if a secret exists before querying Vault for the secret at the given path.

For example, when a version of a secret is deleted or destroyed in Vault, that version remains as an empty dict.

image875×291 17.6 KB

When injecting the secret as follows:

vault.hashicorp.com/agent-inject-template-minio-credentials: |
  {{- with secret "path/to/secret" }}
    export MINIO_ACCESS_KEY="{{ .Data.data.accessKey }}"
    export MINIO_SECRET_KEY="{{ .Data.data.secretKey }}"
  {{- end -}}

I receive the following error:

vault-agent-init 2021-11-11T09:59:37.910Z [WARN] (view) vault.read(path/to/secret): no secret exists at path/to/secret (retry attempt 6 after "8s")       

Is there any method to CHECK if a secret exists before querying Vault for the secret at the given path?

Check: Add "secret_exists" function · Issue #776 · hashicorp/consul-template · GitHub … at the bottom there are some options.

Have you tested this? The workaround with range does not work for me.

vault.hashicorp.com/agent-inject-template-minio-credentials: |
  {{- range secret "path/to/secret" }}
    export MINIO_ACCESS_KEY="{{ .Data.data.accessKey }}"
    export MINIO_SECRET_KEY="{{ .Data.data.secretKey }}"
  {{- end -}}

Leads to 403 permission denied.

I also tried:

vault.hashicorp.com/agent-inject-template-minio-credentials: |
  {{- range secret "path/to/secret" }}
  {{- if eq . "path/to/secret" }
    export MINIO_ACCESS_KEY="{{ .Data.data.accessKey }}"
    export MINIO_SECRET_KEY="{{ .Data.data.secretKey }}"
  {{- end -}}
  {{- end -}}

Please point out if I misunderstand.

No, never needed to retrieve the previous version of a secret.