Login/Register
HashiCorp Vault project - write additional key/value pair without overwritting existing ones
Asked Answered
Solved encryptioncryptographyhashicorp-vault
M

6

12

When I put the first key/value pair to Vault:

vault write secret/item/33 item_name='item_name'

It works well and I get:

vault read secret/item/33

Key                     Value
---                     -----
refresh_interval        768h0m0s
item_name               item_name

But if I want put additional field item_type:

vault write secret/item/33 item_type='item_type'

It overwrites existing one:

vault read secret/item/33

Key                     Value
---                     -----
refresh_interval        768h0m0s
item_type               item_type

How to write additional field - key/value pair to Vault without replacing existing ones?

Maquette answered 22/3, 2017 at 14:26 Comment(0)
A
3

You can only store one value per key. (Confirmed by Vault developer) Either you think on a data structure that is suitable and write a long string to this key or you are using a single key for each value which could look as follows:

vault write secret/item/33/name item_name='item_name'
vault write secret/item/33/type item_type='item_type'
Abbeyabbi answered 24/3, 2017 at 7:17 Comment(0)
L
19

Vault with kv v2 engine has added this ability.

vault kv patch secret/item newkey=newvalue
Leitman answered 17/8, 2018 at 23:57 Comment(1)
I am using version 1 which it's not allowed :(Jasisa
C
4

Vault lets adding multiple key=value pairs; like this:

vault kv put -mount=kv demo/keys \
  GOODGUY="ClintEastwood" \
  BADGUY="LeeVanCleef" \
  UGLYGUY="EliWallach"
Contrivance answered 15/3, 2023 at 22:37 Comment(0)
A
3

You can only store one value per key. (Confirmed by Vault developer) Either you think on a data structure that is suitable and write a long string to this key or you are using a single key for each value which could look as follows:

vault write secret/item/33/name item_name='item_name'
vault write secret/item/33/type item_type='item_type'
Abbeyabbi answered 24/3, 2017 at 7:17 Comment(0)
S
2

Vault doesn't allow you to append to an existing secret. It's actually really annoying. You first have to read the previous key/values and then write them back in at the same time that you're writing in the new key/values.

Here is a blog post I found where someone talks about that process: https://www.fritz.ninja/extending-vault-cli-with-some-ruby-love/

Essentially, he wrote his own command line tool that does the append for you automatically. He says he created the tool for his job, so he can't share the code, but he's started an open-source version on Github called Vaulty: https://github.com/playpasshq/vaulty

Shivaree answered 25/5, 2017 at 16:21 Comment(0)
C
1

vault kv put secret/hello foo=world excited=yes even with Key/value v1 you should be able to set multiple as long as you specify both in the same put command.

Cardamom answered 18/6, 2021 at 14:40 Comment(0)
S
1

Late to the OP. Anyways, what I'm doing is create a JSON file with levels and sublevels of data (nested-objects, feature not available only typing plain KEY=VALUE inputs) and then load the file into KV Engine through @ operator, like $ vault kv put -mount=secret foo @data.json, and of course handle file permissions and ownership properly. Whenever I need to rotate the values, just change the JSON file and then reupload it.

IMO it's even better than just type the values after the command because in that way it remains in bash history.

Smelly answered 12/11, 2022 at 5:39 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.