Hello
We use [Vault 1.6.2+ent].
In both Java and .NET implementations, we had to add /data between the word secret and the rest of mount_path (using KV engine). EX: secret/data/applications/0077/non_production/development/.
This is not documented anywhere, it took me 4 days to figure this out after long search.
The question is, is this a bug? if not, is to stay in future versions?
Thanks
Abdu ElWhidi
This is detailed here:
Thanks for the reply. The question is why when I used the CLI it worked without /data, however, when I use Java or .NET I have to use it. The server here is the same. Shouldn’t be consistent?
If you are referring to Vault CLI’s kv get command, it has additional logic which automatically detects and adds data to path when necessary. If you were to try and use vault read, you would need to use the data path - see below for example.
~ ❯ vault secrets enable -version=2 -path=kv2 kv 09:20:08 AM
Success! Enabled the kv secrets engine at: kv2/
~ ❯ vault kv put kv2/secret a=b 09:20:35 AM
Key Value
--- -----
created_time 2021-11-10T15:20:51.132725Z
deletion_time n/a
destroyed false
version 1
~ ❯ vault kv get kv2/secret 09:20:51 AM
====== Metadata ======
Key Value
--- -----
created_time 2021-11-10T15:20:51.132725Z
deletion_time n/a
destroyed false
version 1
== Data ==
Key Value
--- -----
a b
~ ❯ vault read kv2/secret 09:20:56 AM
WARNING! The following warnings were returned from Vault:
* Invalid path for a versioned K/V secrets engine. See the API docs for the
appropriate API endpoints to use. If using the Vault CLI, use 'vault kv get'
for this operation.
~ ❯ vault read kv2/data/secret 09:21:00 AM
Key Value
--- -----
data map[a:b]
metadata map[created_time:2021-11-10T15:20:51.132725Z deletion_time: destroyed:false version:1]