Hello, I have a running instance of vault with a kv secret engine called foobar and inside multiple secrets.
In fact, if I run vault kv list foobar
I get this:
Keys
----
my/
bar/
mysecrets/
Now, my goal is to move the whole content of foobar/mysecrets/
(which contains more stuff) in a separate secret engine (that I created) called mymovedsecrets/
.
First thing I did was to create the new secret engine and I checked that both the source and destination secret engines exist and are enabled, and they are in the vault secrets list
output:
...
foobar/ kv kv_123456c n/a
mymovedsecrets/ kv kv_785493b n/a
...
Then, when I tried to move the secrets, but I got an error.
vault secrets move foobar/mysecrets/ mymovedsecrets/
Error moving secrets engine foobar/mysecrets/ to mymovedsecrets/: Error making API request.
URL: POST https://vaultinstance/v1/sys/remount
Code: 400. Errors:
* path already in use at "mymovedsecrets/"
I tried again with vault secrets move foobar/ mymovedsecrets/
just foobar/ instead of foobar/mysecrets/ and had the same problem.
Then after deleting mymovedsecrets, I tried to run this:
vault secrets move foobar/mysecrets/ mymovedsecrets/
But this was the output:
Started moving secrets engine foobar/mysecrets/ to mymovedsecrets/, with migration ID 318…80940
Failure! Error encountered moving secrets engine … with migration ID 318…80940
and from the logs I see this:
2024-12-27T08:50:01.354+0100 [INFO] core.mounts.migration: Starting to update the mount table and revoke leases: from_path=foobar/mysecrets/migration_id=318....80940 namespace="" to_path=mymovedsecrets/
2024-12-27T08:50:01.354+0100 [ERROR] core: nil entry found tainting entry in mounts table: path=kubernetes/testmigrationKube/
2024-12-27T08:50:01.354+0100 [ERROR] core.mounts.migration: remount failed: from_path=foobar/mysecrets/ migration_id=318....80940 namespace="" to_path=mymovedsecrets/ error="failed to taint entry in mounts table"
I tried to look for this error but I found nothing.
The documentation about secrets move is unclear about this topic.
I also tried to run the command vault secrets move foobar/ mymovedsecrets/
(note: mymovedsecrets does not exist)
and it worked, but I don’t want to move the whole foobar/ to mymovedsecrets/, just the content of foobar/mysecrets/ to mymovedsecrets/ as there are other secrets in foobar/ that I don’t want to move.
Is it possible to achieve this, without moving the whole foobar/ to mymovedsecrets/ or creating a script to recursively move the secrets (I’dreally rather to avoid it)?
Vault version is 1.8.2 and I’m using the same version in vault cli.
Thanks for your help!