Multiple key value pairs in secrets path and certificate authentication

sravyamks · May 12, 2020, 9:33pm

Hi,
I am new to Hashicorp and would like to understand how do customers usually store credentials on the vault. I see we can add multiple key value pairs in the same secrets path. How often do we see customers saving their usernames and passwords as separate kv pairs.

When authenticating the vault using certificate based authentication, do we still need the bearer token to perform the initial operations like unseal. Do we need to unseal every time we access the vault from an application.

ncabatoff · May 13, 2020, 3:49pm

Hi @sravyamks,

Thanks for posting your questions to the forum.

How often do we see customers saving their usernames and passwords as separate kv pairs.

I think that’s the norm, unless you have a good reason to put multiple things into the same kv entry. We don’t support PATCH, so it makes sense to segregate them so they can be updated independently.

When authenticating the vault using certificate based authentication, do we still need the bearer token to perform the initial operations like unseal.

Unseal is “unauthenticated” in that doesn’t use a vault token, it uses unseal key fragments, and I don’t think you can put that in the bearer header.

Do we need to unseal every time we access the vault from an application.

You unseal Vault after starting it, or if it seals itself e.g. due to an error with the storage layer. Normally this isn’t an application concern, it’s more part of your infrastructure to manage Vault.

chainhead · May 20, 2020, 1:30pm

But, PATCH seems to be supported here - https://www.vaultproject.io/docs/commands/kv/patch

ncabatoff · May 20, 2020, 1:57pm

Yes, if you use the CLI, you can do a patch, though with parallel updates some may experience failures and need to be retried. The HTTP API itself doesn’t support patch however. There’s some context here: https://github.com/hashicorp/vault/issues/6510 and https://github.com/hashicorp/vault/issues/182.

sravyamks · May 20, 2020, 7:15pm

So, if a user saves username/ssh key as a key value pairs in a kv engine, is there a way for application to identify that the secret being retrieved is username/sshkey and not username/password.

Wolfsrudel · May 20, 2020, 7:39pm

Your application should validate if the value is in the format of a ssh-key or not.

There should be a algorithm to validate them.

For rsa:
https://tools.ietf.org/html/rfc4432

For dsa:
https://tools.ietf.org/html/rfc4253

Topic		Replies	Views
Cannot unseal after first installation using Keys Vault	7	2668	January 17, 2022
Multi-process applications (e.g. Flask) for x509-based authentication Vault vault	2	103	May 14, 2025
Vault injector is not able access the secret KV store with Certificate and Private Key Vault	20	1795	April 4, 2023
Storing app user secret in vault Vault vault	13	3412	September 23, 2021
Store and read SSH pvt keys from the vault Vault	13	15142	October 29, 2025

Multiple key value pairs in secrets path and certificate authentication

Related topics