Large amount of view keys


We tried to disable/remove a pki secret engine, first using Terraform and then manually using vault secrets disable pki/<identifier>. When we tried to do this, we received the error context deadline exceeded.

When looking in the logs, we noticed;

{"@level":"debug","@message":"clearing view","@module":"core.secrets.deletion","@timestamp":"2020-12-01T11:36:04.756294Z","namespace":"root","path":"pki/<identifier/","total_keys":1461754}

{"@level":"error","@message":"failed to clear view for path being unmounted","@module":"core","@timestamp":"2020-12-01T11:37:32.709597Z","error":"http://<IP_ADDRESS:PORT>/v1/kv/HIDDEN/logical/1234-abcd-56ef-gh78-12345abcde/certs/1a-2b-3c-4d-5e-6f-7g-8h-9i-0j-1k-2l-3m-4n-5o-6p-7q-8r-9s-0t: context canceled","path":"pki/<IDENTIFIER>/"}

{"@level":"error","@message":"unmount failed","@module":"secrets.system.system_63b37468","@timestamp":"2020-12-01T11:37:32.709641Z","error":"Delete http://<IP_ADDRESS:PORT>/v1/kv/HIDDEN/logical/1234-abcd-56ef-gh78-12345abcde/certs/1a-2b-3c-4d-5e-6f-7g-8h-9i-0j-1k-2l-3m-4n-5o-6p-7q-8r-9s-0t: context canceled","path":"pki/<IDENTIFIER>/"}

We have a few questions;

  • Why would our total_keys value would be so large and is there anyway to minimize this, as this could cause issues for other unmounting attempts.
  • What is a view?
  • What are these keys?
  • Is there any documentation around this that I may have missed?


I’d recommend to check out the learn article on Inspecting data in Vault for which ever storage backend (Consul or int storage) you have, and see if you can correlate a PKI role that ended up with 1.4m keys (or spread across multiple?).
How long are you TTLs on PKIs you’ve created?

Thanks for the reply Mike.

I will check out the article and investigate our data.

Our TTLs are set to 1 year