KV v2 http API - list secrets in <secret>-path

I am trying to list KV secrets and there is a documented API for this. In my testlab I am using CURL from my Macbook to generate the HTTP requests.

For KV v1 secrets it´s done like this:

curl
–header “X-Vault-Token: $VAULT_TOKEN”
–request LIST
http://127.0.0.1:8200/v1/kv-test

(where “kv-test” is the secret-path and I get a JSON file in return showing among other things the following:

“data”: {
“keys”: [
“Hemmelig”,
“more_secrets”
]
},

This API lists the all the secrets stored in “kv-test” and they are “Hemmelig” and “more_secrets”.

But how do I do this with v2 secrets? If I use the same syntax I get the following warning back in the JSON reply:
“Invalid path for a versioned K/V secrets engine. See the API docs for the appropriate API endpoints to use. If using the Vault CLI, use ‘vault kv list’ for this operation.”

But I do not want start a CLI in the backup using “vault kv list” for this operation. I would like to know the correct API call.

I know that for KV v2 I have to add the path “data/” to read the secrets. But since I just want to list up available secrets the natural thing would be to use:

curl
–header “X-Vault-Token: $VAULT_TOKEN”
–request LIST
http://127.0.0.1:8200/v1/graphdb/data
(where “graphdb” is the path to the secrets)

But all I get in return is a JSON object with the an error message saying:
“error occurred:\n\t* unsupported operation\n\n”

I am able to read the configuration of the KV v2 secret by using:
curl
–header “X-Vault-Token: $VAULT_TOKEN”
http://127.0.0.1:8200/v1/graphdb/config

And I am able to read a KV v2 secret by using:

curl
–header “X-Vault-Token: $VAULT_TOKEN”
http://127.0.0.1:8200/v1/graphdb/data/ENC_KEY (where “graphdb” is the path to the secrets and “ENC_KEY” is the actual secret.

This HTTP API request returns a JSON file with the secret value.

What is the HTTP API equivalent to the CLI command “vault kv list” supporing KV v2 secrets? It is documented and working for KV v1 secrets but not for KV v2 secrets.

Can anybody help? Which endpoint do I use to list KV v2 secrets?

I am running Vault v1.3.1

Thanks

Hi oysteinhermansen,

For KV v2, a LIST must include “metadata” after the mount and before the path to the key, so in your case http://127.0.0.1:8200/v1/metadata/kv-test. Docs: LIST kv v2.

Thanks.

Tried it, it worked.