Key-Value Store (Version 2)
Key-Value Store (Version 2)
Details
Interact with vault's version 2 key-value store. This is useful for storing simple key-value data that can be versioned and for storing metadata alongside the secrets (see vault_client_kv1 for a simpler key-value store, and see https://developer.hashicorp.com/vault/docs/secrets/kv/kv-v2 for detailed information about this secret store.
A kv2
store can be mounted anywhere, so all methods accept
a mount
argument. This is different to the CLI which lets
you try and read values from any vault path, but similar to other
secret and auth backends which accept arguments like
-mount-point
. So if the kv2
store is mounted at
/project-secrets
for example, with a vault client
vault
one could write
$secrets$kv2$get("/project-secrets/mysecret",
vaultmount = "project-secrets")
or
<- vault$secrets$kv2$custom_mount("project-secrets")
kv2 $get("mysecret") kv2
If the leading part of of a path to secret within a kv2
store does not match the mount point, vaultr
will throw an
error. This approach results in more predictable error messages,
though it is a little more typing than for the CLI vault client.
Super class
vaultr::vault_client_object
-> vault_client_kv2
Methods
Inherited methods
Method new()
Create a vault_client_kv2
object. Not typically
called by users.
Usage
vault_client_kv2$new(api_client, mount)
Arguments
api_client
A vault_api_client object
mount
Mount point for the backend
Method config()
Fetch the configuration for this kv2
store.
Returns a named list of values, the contents of which will
depend on the vault version.
Method custom_mount()
Set up a vault_client_kv2
object at a custom
mount. For example, suppose you mounted another copy of the
kv2
secret backend at /secret2
you might use kv <- vault$secrets$kv2$custom_mount("/secret2")
- this pattern is
repeated for other secret and authentication backends.
Method delete()
Delete a secret from the vault. This marks the version as deleted and will stop it from being returned from reads, but the underlying data will not be removed. A delete can be undone using the undelete method.
Method destroy()
Delete a secret entirely. Unlike delete
this
operation is irreversible and is more like the delete
operation on vault_client_kv1
stores.
Method get()
Read a secret from the vault
Arguments
path
Path of the secret to read
version
Optional version of the secret to read. If
NULL
(the default) then the most recent version is read. Otherwise this must be a scalar integer.field
Optional field to read from the secret. Each secret is stored as a key/value set (represented in R as a named list) and this is equivalent to using
[[field]]
on the return value. The default,NULL
, returns the full set of values.metadata
Logical, indicating if we should return metadata for this secret (lease information etc) as an attribute along with the values itself. Ignored if
field
is specified.mount
Custom mount path to use for this store (see
Details
).
Method list()
List data in the vault at a give path. This can
be used to list keys, etc (e.g., at /secret
).
Arguments
path
The path to list
full_names
Logical, indicating if full paths (relative to the vault root) should be returned.
mount
Custom mount path to use for this store (see
Details
).value
A character vector (of zero length if no keys are found). Paths that are "directories" (i.e., that contain keys and could themselves be listed) will be returned with a trailing forward slash, e.g.
path/
Method metadata_put()
Update metadata for a secret. This is allowed
even if a secret does not yet exist, though this requires the
create
vault permission at this path.
Arguments
path
Path of secret to update metadata for
cas_required
Logical, indicating that if If true the key will require the cas parameter to be set on all write requests (see
put
). IfFALSE
, the backend's configuration will be used.max_versions
Integer, indicating the maximum number of versions to keep per key. If not set, the backend's configured max version is used. Once a key has more than the configured allowed versions the oldest version will be permanently deleted.
mount
Custom mount path to use for this store (see
Details
).
Method metadata_delete()
This method permanently deletes the key metadata and all version data for the specified key. All version history will be removed.
Method put()
Create or update a secret in this store.
Arguments
path
Path for the secret to write, such as
/secret/mysecret
data
A named list of values to write into the vault at this path.
cas
Integer, indicating the "cas" value to use a "Check-And-Set" operation. If not set the write will be allowed. If set to 0 a write will only be allowed if the key doesn't exist. If the index is non-zero the write will only be allowed if the key's current version matches the version specified in the cas parameter.
mount
Custom mount path to use for this store (see
Details
).
Examples
server <- vaultr::vault_test_server(if_disabled = message)
#> ...waiting for Vault to start
#> ...waiting for Vault to start
if (!is.null(server)) {
client <- server$client()
# With the test server as created by vaultr, the kv2 storage
# engine is not enabled. To use the kv2 store we must first
# enable it; the command below will add it at the path /kv on
# our vault server
client$secrets$enable("kv", version = 2)
# For ease of reading, create a 'kv' object for interacting with
# the store (see below for the calls without this object)
kv <- client$secrets$kv2$custom_mount("kv")
kv$config()
# The version-2 kv store can be treated largely the same as the
# version-1 store, though with slightly different command names
# (put instead of write, get instead of read)
kv$put("/kv/path/secret", list(key = "value"))
kv$get("/kv/path/secret")
# But it also allows different versions to be stored at the same path:
kv$put("/kv/path/secret", list(key = "s3cret!"))
kv$get("/kv/path/secret")
# Old versions can be retrieved still:
kv$get("/kv/path/secret", version = 1)
# And metadata about versions can be retrieved
kv$metadata_get("/kv/path/secret")
# cleanup
server$kill()
}