The documentation is not very good at explaining this, but KVv2 makes a distinction between “logical KV path” and URL path.
“Logical KV path” is a term I just made up for the sake of having a way to talk about it here, by the way.
In your example, company/
appears to be your KVv2 mount point, and project/
a “logical KV path” which you want to create some entries.
When you work with tooling that is specifically aware it is working with a KVv2 - like the Vault web UI, or the vault kv ...
family of CLI commands, that’s all you need to know.
But, when you work with URLs, such as when you write policies, or use generic CLI commands like vault read ...
(or write
, delete
, list
) you need to know about the URLs used in the API, which insert another path component between the mount point and “logical KV path”!
<mount point>/<KVv2-operation>/<logical KV path>
The KVv2-operations, listed with the capabilities (in the ACL policy sense) that you can use with them are:
- metadata (read list create update delete patch)
- data (read create update delete patch)
- delete (update)
- undelete (update)
- destroy (update)
- subkeys (read) - new in Vault 1.10
Armed with this overall structure, grouping things into URLs, it should get slightly easier to cope with understanding the large number of operations detailed on KV - Secrets Engines - HTTP API | Vault by HashiCorp
An example, to wrap things up:
Suppose I do vault kv list company
- the request sent to Vault is actually a list on company/metadata/
and if I do vault kv put company/project/example x=y
the request sent to Vault is actually a create or update on company/data/project/example