I’m using Vault Server, which has recently been upgraded to version 1.14.1 and the storage has been migrated to Raft.
Now I’m thinking of enabling versioning.
When I did that in a test instance (by running vault kv enable-versioning secret) I faced an error, while runing vault read command:
* Invalid path for a versioned K/V secrets engine. See the API docs for the
appropriate API endpoints to use. If using the Vault CLI, use 'vault kv get'
for this operation.
Unfortunately, 98% of our CI/CD code uses the vault read syntax and it would be very difficult to update it to the vault kv get syntax.
Is there a way to enable versioning and sill read the secrets with vault read?
No (or really “yes, but not in the way you mean”).
The APIs are different between v1 & v2 K/V stores.
vault read just does a raw HTTP GET to the API endpoint, which for v1 is the same as the path to a secret. With v2 the path you need to access is different (it contains /data/ at the start).
Using vault kv get the CLI will check if the secret mount is using v1 or v2 and then create the API call accordingly.
You can still use vault read but you’d still need to update your CI/CD code to have the new correct API path (and if doing that you might as well use vault kv get which is more futureproof).