- is there a size limit up to which one can store data in the kv2 engine?
- can a size limit (per key, per path) be imposed either by policy or by tuning?
- can I monitor the size of stored values (per key, per path or per mounted engine)?
- can I restrict the upload of a value by size and or filetype?
reason for asking is that if we allow “others” to store secrets in “our” vault, how can we make sure they don’t abuse it as a “general file store” - putting their “secret” pdfs or pictures or the like into it, but only use it for passwords, ssh/gpg keys and the like.
Hi, Tim. We’ve recently added a page to the documentation that addresses some of these questions: https://www.vaultproject.io/docs/internals/limits#versioned-key-value-store-kv-v2-secret-engine
The entries in kv-v2 are limited only by the storage entry size, or by the maximum request size configured in the listener. It is not currently possible to impose a lower limit on just kv-v2.
With the integrated storage (Raft) backend there is a metric, vault.raft-storage.entry_size, that can alert you to the presence of large storage entries, that might be from kv-v2. But it is not specific as to the source of the storage entries. There is currently no telemetry for monitoring kv-v2 storage usage (or more generally storage per secret engine) although that has been discussed as a roadmap item.