Consul Template not returning Vault KV items with "deletion_time" set

According to this function deletedKVv2 defined in consul-template/dependency/vault_read.go at main · hashicorp/consul-template · GitHub on line 178, when querying secrets from Vault, they are not returned when the meta data field deletion_time has been set.

I’d like to know the idea behind it. A secret can still be available at the time it’s being queried by consul-template, why not return it then?

@eikenb You added this code 4 years ago, do you still know why you’re not comparing the actual date with the deletion_time date? I’m very curious as to why this was done. :slight_smile:

deletion_time records when the secret was deleted in the past. It doesn’t schedule a deletion for the future. Thus, if it’s set, the deletion has already happened.

Hey, thanks for replying.

Your statement is not really true. In the Vault UI, when you go to a secret and click on the “Meta data” tab, then “Edit metadata”, you can enable “Automate secret deletion” and set a time frame. Save this, it will show “Delete version after” being set to that time frame.

Now every new version of the secret will have the metadata field deletion_time set to a date and time in the future that matches with the time frame specified by you earlier.

So I can set it to say 10 days, and it will auto delete that version in 10 days, but within those 10 days, consul-template will not return the value of that secret anymore. If I then disable “Automatic secret deletion” and create a new version of the secret, consul-template will fetch the secret again.

Ah - apologies - I had not come across that particular workflow.

In that case, I would like to amend my answer:

It is likely the code in consul-template does what it does, because the person who wrote it was under the same misapprehension as I was :slight_smile:

Ah, no problem! It’s impossible to know everything :wink:

Hence I pinged @eikenb in my first message, since he made that part of the code and I was wondering if my “bug” was a feature, or something that was overlooked or has been changed over the course of the 4 years that this code was added :wink: My best guess is that Vault has added the DeleteVersionAfter time.Duration in a version after the code was added in consul-template.

… digging …

About a year ago it was added to the API. But the “delete version after” has been in the code for about 4 years.

api commit: KV helper methods for api package (#15305) · hashicorp/vault@242a6f9 · GitHub