Move secrets from one kv secret engine to another kv engine

Hello, I have a running instance of vault with a kv secret engine called foobar and inside multiple secrets.
In fact, if I run vault kv list foobar I get this:

Keys
----
my/
bar/
mysecrets/

Now, my goal is to move the whole content of foobar/mysecrets/ (which contains more stuff) in a separate secret engine (that I created) called mymovedsecrets/.

First thing I did was to create the new secret engine and I checked that both the source and destination secret engines exist and are enabled, and they are in the vault secrets list output:

...
foobar/                      kv           kv_123456c           n/a
mymovedsecrets/              kv           kv_785493b           n/a
...

Then, when I tried to move the secrets, but I got an error.
vault secrets move foobar/mysecrets/ mymovedsecrets/

Error moving secrets engine foobar/mysecrets/ to mymovedsecrets/: Error making API request.

URL: POST https://vaultinstance/v1/sys/remount
Code: 400. Errors:

* path already in use at "mymovedsecrets/"

I tried again with vault secrets move foobar/ mymovedsecrets/ just foobar/ instead of foobar/mysecrets/ and had the same problem.

Then after deleting mymovedsecrets, I tried to run this:
vault secrets move foobar/mysecrets/ mymovedsecrets/

But this was the output:

Started moving secrets engine foobar/mysecrets/ to mymovedsecrets/, with migration ID 318…80940
Failure! Error encountered moving secrets engine … with migration ID 318…80940

and from the logs I see this:

2024-12-27T08:50:01.354+0100 [INFO]  core.mounts.migration: Starting to update the mount table and revoke leases: from_path=foobar/mysecrets/migration_id=318....80940 namespace="" to_path=mymovedsecrets/
2024-12-27T08:50:01.354+0100 [ERROR] core: nil entry found tainting entry in mounts table: path=kubernetes/testmigrationKube/
2024-12-27T08:50:01.354+0100 [ERROR] core.mounts.migration: remount failed: from_path=foobar/mysecrets/ migration_id=318....80940 namespace="" to_path=mymovedsecrets/ error="failed to taint entry in mounts table"

I tried to look for this error but I found nothing.
The documentation about secrets move is unclear about this topic.

I also tried to run the command vault secrets move foobar/ mymovedsecrets/ (note: mymovedsecrets does not exist)
and it worked, but I don’t want to move the whole foobar/ to mymovedsecrets/, just the content of foobar/mysecrets/ to mymovedsecrets/ as there are other secrets in foobar/ that I don’t want to move.

Is it possible to achieve this, without moving the whole foobar/ to mymovedsecrets/ or creating a script to recursively move the secrets (I’dreally rather to avoid it)?

Vault version is 1.8.2 and I’m using the same version in vault cli.

Thanks for your help!

Hello,

Are you able to test this with a newer version of Vault? The current version family is 1.18.

Just just tested this and its working as expected (though agree the docs could use a bit more explanation).

I performed the steps without the target kv secrets engine enabled/mounted. The move handled enabling it. I did this all using the root token to ensure I wasn’t running into an issue with a policy.

Repro steps:

vault secrets list                
Path          Type         Accessor              Description
----          ----         --------              -----------
cubbyhole/    cubbyhole    cubbyhole_78702058    per-token private secret storage
identity/     identity     identity_bee9b053     identity store
secret/       kv           kv_ea39b963           key/value secret storage
sys/          system       system_ef283bec       system endpoints used for control, policy and debugging

vault kv put secret/supersecret username=jalbertson password=bestpasswo
rdever
===== Secret Path =====
secret/data/supersecret

======= Metadata =======
Key                Value
---                -----
created_time       2024-12-30T19:43:33.705698Z
custom_metadata    <nil>
deletion_time      n/a
destroyed          false
version            1

vault secrets move secret/ kvv2/              
Started moving secrets engine secret/ to kvv2/, with migration ID 23a0eb8d-eab8-8bdf-8d8b-c9ec28d38a90
Waiting for terminal status in migration of secrets engine secret/ to kvv2/, with migration ID 23a0eb8d-eab8-8bdf-8d8b-c9ec28d38a90
Success! Finished moving secrets engine secret/ to kvv2/, with migration ID 23a0eb8d-eab8-8bdf-8d8b-c9ec28d38a90

vault secrets list
Path          Type         Accessor              Description
----          ----         --------              -----------
cubbyhole/    cubbyhole    cubbyhole_78702058    per-token private secret storage
identity/     identity     identity_bee9b053     identity store
kvv2/         kv           kv_ea39b963           key/value secret storage
sys/          system       system_ef283bec       system endpoints used for control, policy and debugging

vault kv get kvv2/supersecret
==== Secret Path ====
kvv2/data/supersecret

======= Metadata =======
Key                Value
---                -----
created_time       2024-12-30T19:43:33.705698Z
custom_metadata    <nil>
deletion_time      n/a
destroyed          false
version            1

====== Data ======
Key         Value
---         -----
password    bestpasswordever
username    jalbertson

Hello,

My apologies, I had done a typo, the version I’m using is 1.18.2

As I mentioned here, maybe without highlighting too much though, the way you said worked for me as well, but what I’m trying to move is one level deeper.

So using your example it would be something

secret/supersecret/mydeepsecret

And then

vault secrets move secret/supersecret kvv2/ 

(tbh, i don’t care if the final destination is kvv2/ or kvv2/subfolder)

No worries on the typo! The move command is for the entire secrets engine

" The secrets move command moves an existing secrets engine to a new path"

You could use the move command and delete the secrets you do not want to be available at the new path.

Sadly this is not an option as I need most of the secrets to be in the original one and just a subset of them should be moved in another secret engine