I’m using Vault Server, which has recently been upgraded to version 1.14.1 and the storage has been migrated to Raft.
Now I’m thinking of enabling versioning.
When I did that in a test instance (by running vault
kv enable-versioning secret) I faced an error, while runing
vault read command:
* Invalid path for a versioned K/V secrets engine. See the API docs for the
appropriate API endpoints to use. If using the Vault CLI, use 'vault kv get'
for this operation.
Unfortunately, 98% of our CI/CD code uses the
vault read syntax and it would be very difficult to update it to the
vault kv get syntax.
Is there a way to enable versioning and sill read the secrets with
No (or really “yes, but not in the way you mean”).
The APIs are different between v1 & v2 K/V stores.
vault read just does a raw HTTP GET to the API endpoint, which for v1 is the same as the path to a secret. With v2 the path you need to access is different (it contains
/data/ at the start).
vault kv get the CLI will check if the secret mount is using v1 or v2 and then create the API call accordingly.
You can still use
vault read but you’d still need to update your CI/CD code to have the new correct API path (and if doing that you might as well use
vault kv get which is more futureproof).
No, there isn’t.
The enable-versioning operation actually just does an upgrade from KV v1 to v2, which changes many other things besides just enabling versioning.
However then you would still need to deal with the shape of the returned JSON being different!