Hello!
Might be a dumb question but is it expected that a destroyed version of a secret is still tagged as the current
version? I would have expected current
to be the non-deleted / non-destroyed latest version of the secret.
Thanks!
Hello!
Might be a dumb question but is it expected that a destroyed version of a secret is still tagged as the current
version? I would have expected current
to be the non-deleted / non-destroyed latest version of the secret.
Thanks!
I noticed this as well, while wrapping the API in an app.
After destroying the latest version of a secret using DELETE /v1/secrets/ the very next GET (and all subsequent) returns the deleted secret version.
The documentation (KV - Secrets Engines - HTTP API | Vault | HashiCorp Developer) states:
This marks the version as deleted and will stop it from being returned from reads, but the underlying data will not be removed
This means when retrieving the latest ‘undeleted’ secret, I first have to call the secret metadata and decrement through the versions listed until I find one that is not deleted, then issue a second API call to retrieve that version.
It seems like a bug.
Here’s the metadata for a secret after creating some versions, then deleting the latest version, showing version 3 as destroyed, but still current.
{
"request_id": "be066955-7793-a45d-992f-c78332194906",
"lease_id": "",
"renewable": false,
"lease_duration": 0,
"data": {
"cas_required": false,
"created_time": "2021-01-04T17:40:17.619668519Z",
"current_version": 3,
"delete_version_after": "0s",
"max_versions": 0,
"oldest_version": 0,
"updated_time": "2021-01-04T17:46:03.003753606Z",
"versions": {
"1": {
"created_time": "2021-01-04T17:40:17.619668519Z",
"deletion_time": "2021-01-04T17:42:03.619784047Z",
"destroyed": false
},
"2": {
"created_time": "2021-01-04T17:45:57.026095923Z",
"deletion_time": "2022-02-03T17:45:57.026095923Z",
"destroyed": false
},
"3": {
"created_time": "2021-01-04T17:46:03.003753606Z",
"deletion_time": "2022-02-03T17:46:03.003753606Z",
"destroyed": true
}
}
},
"wrap_info": null,
"warnings": null,
"auth": null
}
Ever happen to come across a solution to this? Only thing I can think of is to wipe the secret entirely (all versions) and re-create it, or “create new version” of the most recent non-deleted version - effectively make a copy it so that the current version in the metadata pointer will change.
It doesn’t seem to make much sense to me that current version stays pointed at an object that no longer exists.
Hi
can this help you ?
vault kv metadata get -format=json secret/mysecret | jq '.data.versions|to_entries|map(select(.value.destroyed==false).key)|max'
Update: My command gives you the last not destroyed version.
If you need not destroyed and not deleted, add a condition with 'deletion_time==“”