I have a script that performs some operations with secrets using Vault CLI. In order to interact with secret engine I need to automatically determine its version first, since they have different API. Right now I’m just using vault kv metadata and check if it fails or not with a given engine. Is there a more straightforward way to do it?
Maybe this could help:
Hello,
If you are looking for a way to find out the version of the KV secret’s engine that is being used, you can use the /sys/internal/ui/mounts endpoint.
Here is a quick example :
- I create a secret at path
secret/my-secretwithvault kv put secret/my-secret foo=bar - In order to figure out what version of the KV is being used i use curl :
http://127.0.0.1:8200/v1/sys/internal/ui/mounts/secret/my-secret | jq
The returned JSON looks like :
{
"request_id": "e310b063-9136-84d2-0d9c-91b91af3ce07",
"lease_id": "",
"renewable": false,
"lease_duration": 0,
"data": {
"accessor": "kv_a9c9dd98",
"config": {
"default_lease_ttl": 0,
"force_no_cache": false,
"max_lease_ttl": 0
},
"description": "key/value secret storage",
"external_entropy_access": false,
"local": false,
"options": {
"version": "2"
},
"path": "secret/",
"seal_wrap": false,
"type": "kv",
"uuid": "63c48eff-a5ae-4ecd-9b72-5cc522644b06"
},
"wrap_info": null,
"warnings": null,
"auth": null
}
In the options.version field you can see that the version of this KV is 2.
Hope this helps !
Martin
2 Likes
Hello! Thank you for your answer.
Your solution requires the user to have administrative privileges or specific policy that permits access to /sys/mounts endpoint. What if user only has access to the secret engine? That level of access seems to be enough for the Web UI to display the version.
Hello,
The sys/internal/ui/mounts/ endpoint does not require explicit authentication (policy) as long as you have access to the particular secret. For example, if you have access to secret/test you can do sys/internal/ui/mounts/secret/test and it will return the version of the KV engine.
Martin