Multiple key value pairs in secrets path and certificate authentication

Hi,
I am new to Hashicorp and would like to understand how do customers usually store credentials on the vault. I see we can add multiple key value pairs in the same secrets path. How often do we see customers saving their usernames and passwords as separate kv pairs.

When authenticating the vault using certificate based authentication, do we still need the bearer token to perform the initial operations like unseal. Do we need to unseal every time we access the vault from an application.

Hi @sravyamks,

Thanks for posting your questions to the forum.

How often do we see customers saving their usernames and passwords as separate kv pairs.

I think that’s the norm, unless you have a good reason to put multiple things into the same kv entry. We don’t support PATCH, so it makes sense to segregate them so they can be updated independently.

When authenticating the vault using certificate based authentication, do we still need the bearer token to perform the initial operations like unseal.

Unseal is “unauthenticated” in that doesn’t use a vault token, it uses unseal key fragments, and I don’t think you can put that in the bearer header.

Do we need to unseal every time we access the vault from an application.

You unseal Vault after starting it, or if it seals itself e.g. due to an error with the storage layer. Normally this isn’t an application concern, it’s more part of your infrastructure to manage Vault.

But, PATCH seems to be supported here - https://www.vaultproject.io/docs/commands/kv/patch

Yes, if you use the CLI, you can do a patch, though with parallel updates some may experience failures and need to be retried. The HTTP API itself doesn’t support patch however. There’s some context here: https://github.com/hashicorp/vault/issues/6510 and https://github.com/hashicorp/vault/issues/182.

So, if a user saves username/ssh key as a key value pairs in a kv engine, is there a way for application to identify that the secret being retrieved is username/sshkey and not username/password.

Your application should validate if the value is in the format of a ssh-key or not.

There should be a algorithm to validate them.

For rsa:
https://tools.ietf.org/html/rfc4432

For dsa:
https://tools.ietf.org/html/rfc4253