Folder vs Secret with the same name?

mfinnigan · April 29, 2022, 11:51pm

I just noticed this, and can’t find any documentation that talks about it. There’s no UI element to create a folder that I’ve found, only a secret, but you can do it from the command line. Is this intentional, and is it mentioned in any documentation?

vault kv put secret/hello foo=world excited=yes
vault kv put secret/hello/2ndlevel bar=wtf

PS C:\ProgramData\chocolatey\bin\.vault> vault kv list secret/hello
Keys
----
2ndlevel
PS C:\ProgramData\chocolatey\bin\.vault> vault kv get secret/hello
======= Metadata =======
Key                Value
---                -----
created_time       2022-04-29T23:40:22.681958035Z
custom_metadata    <nil>
deletion_time      n/a
destroyed          false
version            1

===== Data =====
Key        Value
---        -----
excited    yes
foo        world

And the UI shows one “hello” with the “document” icon that it uses for secrets, and one with a folder icon.

This isn’t a problem for me as such, but I’m not seeing any real documentation about folders (if they’re even called that) and how to deal with them as paths. I’ve not encountered other systems that let an item and a container at the same location have the same name.

stuart-c · April 30, 2022, 5:19am

Folders don’t really exist.

Vault only deals with secrets in the K/V engine, but as a convenience for users it will represent those secrets in a form of directory structure in the UI where their paths contain /. As a result there is no way to create an “empty directory” and totally possible to create a secret with the same name as a folder.

Conceptually it is similar to objects in a S3 bucket, where folders again don’t really exist and are just a convenience within the UI.

mfinnigan · May 2, 2022, 5:21pm

Thanks, Stuart, that’s really good info. Is that documented anywhere?