secrets kv-v1 in vault
#Enable KV-V2 engine
$ vault secrets enable -path=secret kv-v2
# If the KV version is version:1, upgrade it to version:2
$ vault kv enable-versioning secret/
#Put the data in the secret
$ vault kv put secret/customer/novopay name="NovoPay Pvt Limited" \
contact_email="[email protected]" # ---------->This is Version 1
#Create another data in same path
$ vault kv put secret/customer/novopay name="NovoPay Pvt Limited" \
contact_email="[email protected]" # -------->This is Version 2
#Read the secret from the same path
$ vault kv get secret/customer/novopay
#For Specific Version search
$ vault kv get -version=2 secret/customer/novopay
#Merge rest fields from same path while updating just one
$ vault kv patch secret/customer/novopay contact_email="[email protected]"
#Get the metadata from the path defined
$ vault kv metadata get secret/customer/novopay
#Limit the number of versions to retain in kv-v2
$ vault write secret/config max_versions=4
#check the changes
$ vault read secret/config
#Configure the secret at path secret/customer/novopay to limit secrets to a maximum of 4 versions.
$ vault kv metadata put -max-versions=4 secret/customer/novopay
#Get the metadata of the secret defined at the path secret/customer/novopay
$ vault kv metadata get secret/customer/novopay
#Delete multiple versions
$ vault kv delete -versions="4,5" kv/customer/novopay
#Undelete the Version on the path
$ vault kv undelete -versions=5 kv/customer/novopay
#Permanentely delete the version is through destroy
$ vault kv destroy -versions=4 kv/customer/novopay
#Delete all versions from the defined path
$ vault kv metadata delete kv/customer/novopay
#Configure the automatic deletion of versions after sepcified time
$ vault kv metadata put -delete-version-after=40s kv/customer/novopay
#Vault has another cool feature of check and set operation to stop unintentional
#secret overwrite. When you pass the cas flag to Vault, it first checks if the key already exists.
$ vault read kv/config # ----> cas_required setting is false
$ vault write kv/config cas-required=true
#Enable the same on the path inside the kv
$ vault kv metadata put -cas-required=true kv/customer/novopay
#Once check-and-set is enabled, every write operation requires the cas parameter with the current verion of the secret. Set cas to 0 when a secret at that path does not already exist.
$ vault kv put -cas=0 kv/customer/novopay name="Example Co." partner_id="123456789"
$ vault kv put -cas=1 secret/partner name="Example Co." \
partner_id="ABCDEFGHIJKLMN"
#Enable Key/value version 1 as secret engine
$ vault secrets enable -path="kv-v1" kv
#Put the key for google owned by engineering team this is an example to understand better for path
$ vault kv put kv-v1/<PATH> <KEY>=VALUE>
$ vault kv put kv-v1/eng/apikey/google key=<KEY_TO_PUT>
$ vault kv put kv-v1/<OWNER>/apikey/<APP>
#Read the Value from the above key
$ vault kv get kv-v1/eng/apikey/google
$ vault read kv-v1/eng/apikey/google
#Path Convention for storing the certificate
# kv-v1/<ENVIRONMENT>/cert/<SYSTEM>
$ vault kv put kv-v1/prod/cert/mysql [email protected]
$ vault policy write apps - << EOF
# Read-only permit
path "kv-v1/eng/apikey/Google" {
capabilities = [ "read" ]
}
# Read-only permit
path "kv-v1/prod/cert/mysql" {
capabilities = [ "read" ]
}
EOF
#Create a new token and use that to check the contents of that
$ vault create token -policy=apps -period=24h
$ VAULT_TOKEN=<TOKEN_FROM_ABOVE> vault kv get -field=key kv-v1/eng/apikey/google
$ VAULT_TOKEN=<TOKEN> vault kv get -field=cert kv-v1/prod/cert/mysql
#To hide the key output in the CLI and not visible in history use below
#Option 1: Use a dash "-"
#An easy technique is to use a dash "-" and then press Enter. This allows you to enter the secret on a new line. After entering the secret, press Ctrl+d to end the pipe which will write the secret to the Vault.
$ vault kv get kv-v1/eng/apikey/google key=-
#Option 2: Read the secret from a file
$ vault kv put kv-v1/eng/apikey/google @apikey.txt
#Option 3: Disable all vault command history
$ export HISTIGNORE="&:vault*"
#How do I save multiple values at once?
$ vault kv put kv-v1/dev/config/mongodb url=foo.example.com:35533 \
db_name=users \
username=admin password=passw0rd