Get secret engine version via CLI

I have a script that performs some operations with secrets using Vault CLI. In order to interact with secret engine I need to automatically determine its version first, since they have different API. Right now I’m just using vault kv metadata and check if it fails or not with a given engine. Is there a more straightforward way to do it?

Maybe this could help:


If you are looking for a way to find out the version of the KV secret’s engine that is being used, you can use the /sys/internal/ui/mounts endpoint.

Here is a quick example :

  • I create a secret at path secret/my-secret with vault kv put secret/my-secret foo=bar
  • In order to figure out what version of the KV is being used i use curl : | jq

The returned JSON looks like :

  "request_id": "e310b063-9136-84d2-0d9c-91b91af3ce07",
  "lease_id": "",
  "renewable": false,
  "lease_duration": 0,
  "data": {
    "accessor": "kv_a9c9dd98",
    "config": {
      "default_lease_ttl": 0,
      "force_no_cache": false,
      "max_lease_ttl": 0
    "description": "key/value secret storage",
    "external_entropy_access": false,
    "local": false,
    "options": {
      "version": "2"
    "path": "secret/",
    "seal_wrap": false,
    "type": "kv",
    "uuid": "63c48eff-a5ae-4ecd-9b72-5cc522644b06"
  "wrap_info": null,
  "warnings": null,
  "auth": null

In the options.version field you can see that the version of this KV is 2.

Hope this helps !



Hello! Thank you for your answer.
Your solution requires the user to have administrative privileges or specific policy that permits access to /sys/mounts endpoint. What if user only has access to the secret engine? That level of access seems to be enough for the Web UI to display the version.


The sys/internal/ui/mounts/ endpoint does not require explicit authentication (policy) as long as you have access to the particular secret. For example, if you have access to secret/test you can do sys/internal/ui/mounts/secret/test and it will return the version of the KV engine.