Proper KV2 API syntax for Vault with Namespaces - Path Only

What is the proper API syntax for retrieving secrets from the KV2 API when using namespaces WITHOUT headers?

The path to my secret is nonprod/feature/testing-secrets, and for the sake of this discussion assume it’s in namespace my-namespace. Note the secret engine mount is nonprod I have tried the following combinations:

  1. /v1/my-namespace/nonprod/data/feature/testing-secrets
  2. /v1/nonprod/data/my-namespace/nonprod/feature/testing-secrets
  3. /v1/nonprod/data/my-namespace/feature/testing-secrets
  4. /v1/nonprod/data/feature/testing-secrets

This is in the context of using the External Secrets operator, but that operator uses the Vault Go library, and configures the client using the SetNamespace function on the vault client. With that in mind, #4 should work, assuming that SetNamespace augments the HTTP calls with the appropriate headers.

I’m digging through code, but would greatly appreciate some examples of using the HTTP API to get values from a KV2 Secret engine inside a vault namespace.

Number 1 looks correct to me.

Have you tried this already and it’s not working?

I have. #1, in particularly, usually throws an API error “No controller for my-namespace/nonprod”

For what it’s worth, I have a post out to the external-secrets github repository as well. They are using the Vault go library, but utilizing NewRequest and RawRequestWithContext, and i’m not sure if that’s working with namespaces correctly. I don’t see any reason why it shouldn’t, but I’m not familiar enough with Go (outside of reading it) to debug.

I’d probably try hitting the API endpoints with curl or equivalent to see if what you’re attempting is valid. (I’ve not used the Go libraries before, just the regular REST endpoints)

I’m assuming your “my-namespace” namespace exists and there isn’t a duplicate secret mount with that same name, correct?

Likewise, your token has access to interact with the namespace and its contents?

I’m using my own credentials to generate the token, so it should be valid… I’ll try using postman to hit that API and see what is going on.

… Can I delete posts?

As it turns out, even though I had asked our admins to create a KV2, they created a V1 engine, so my configuration was trying to talk to a KV V1 engine as if it were a KV V2 engine. I had to get on with our admins to have them update the secret engine, and the calls work.

For others reference, I was able to make the following calls:

/v1/nonprod/data/feature/testing-secrets with a header of X-Vault-Namespace: my-namesapce

Both methods worked.