Using CLI vault read against KV v2

Hi ,

I’m using Vault Server, which has recently been upgraded to version 1.14.1 and the storage has been migrated to Raft.

Now I’m thinking of enabling versioning.
When I did that in a test instance (by running vault kv enable-versioning secret) I faced an error, while runing vault read command:

* Invalid path for a versioned K/V secrets engine. See the API docs for the
  appropriate API endpoints to use. If using the Vault CLI, use 'vault kv get'
  for this operation.

Unfortunately, 98% of our CI/CD code uses the vault read syntax and it would be very difficult to update it to the vault kv get syntax.

Is there a way to enable versioning and sill read the secrets with vault read?


No (or really “yes, but not in the way you mean”).

The APIs are different between v1 & v2 K/V stores.

vault read just does a raw HTTP GET to the API endpoint, which for v1 is the same as the path to a secret. With v2 the path you need to access is different (it contains /data/ at the start).

Using vault kv get the CLI will check if the secret mount is using v1 or v2 and then create the API call accordingly.

You can still use vault read but you’d still need to update your CI/CD code to have the new correct API path (and if doing that you might as well use vault kv get which is more futureproof).

1 Like

No, there isn’t.

The enable-versioning operation actually just does an upgrade from KV v1 to v2, which changes many other things besides just enabling versioning.

1 Like

However then you would still need to deal with the shape of the returned JSON being different!

1 Like