kv
kv
The kv
command groups subcommands for interacting with Vault's key/value secrets engine (both K/V Version 1 and K/V Version 2.
Syntax
Option flags for a given subcommand are provided after the subcommand, but before the arguments.
The path to where the secrets engine is mounted can be indicated with the -mount
flag, such as vault kv get -mount=secret creds
.
A flag provided but not defined: -mount
error means you are using an older version of Vault before the mount flag syntax was introduced. Upgrade to at least Vault 1.11, or refer to previous versions of the docs which only use the old syntax to refer to the mount path.
Examples
Create or update the key named "creds" in the K/V Version 2 enabled at "secret" with the value "passcode=my-long-passcode":
Read this value back:
Get metadata for the key named "creds":
Get a specific version of the key named "creds":
Usage
For more information, examples, and usage about a subcommand, click on the name of the subcommand in the sidebar.
kv delete
The kv delete
command deletes the data for the provided path in the key/value secrets engine. If using K/V Version 2, its versioned data will not be fully removed, but marked as deleted and will no longer be returned in normal get requests.
Examples
Delete the latest version of the key "creds":
[K/V Version 2] Delete version 11 of key "creds":
Usage
There are no flags beyond the standard set of flags included on all commands.
Command options
-mount
(string: "")
- Specifies the path where the KV backend is mounted. If specified, the next argument will be interpreted as the secret path. If this flag is not specified, the next argument will be interpreted as the combined mount path and secret path, with /data/ automatically inserted for KV v2 secrets.-versions
([]int: <required>)
- The versions to be deleted. The versioned data will not be deleted, but it will no longer be returned in normal get requests.
NOTE: The -versions
command option is only for K/V v2.
kv destroy
NOTE: This is a K/V Version 2 secrets engine command, and not available for Version 1.
The kv destroy
command permanently removes the specified versions' data from the key/value secrets engine. If no key exists at the path, no action is taken.
Examples
Destroy version 11 of the key "creds":
Usage
There are no flags beyond the standard set of flags included on all commands.
Output options
-format
(string: "table")
- Print the output in the given format. Valid formats are "table", "json", or "yaml". This can also be specified via theVAULT_FORMAT
environment variable.
Command options
-mount
(string: "")
- Specifies the path where the KV backend is mounted. If specified, the next argument will be interpreted as the secret path. If this flag is not specified, the next argument will be interpreted as the combined mount path and secret path, with /data/ automatically inserted for KV v2 secrets.-versions
([]int: <required>)
- The versions to destroy. Their data will be permanently deleted.
kv enable-versioning
The kv enable-versioning
command turns on versioning for an existing non-versioned key/value secrets engine (K/V Version 1) at its path.
Examples
This command turns on versioning for the K/V Version 1 secrets engine enabled at "secret".
Usage
There are no flags beyond the standard set of flags included on all commands.
Output options
-format
(string: "table")
- Print the output in the given format. Valid formats are "table", "json", or "yaml". This can also be specified via theVAULT_FORMAT
environment variable.
kv get
The kv get
command retrieves the value from K/V secrets engine at the given key name. If no key exists with that name, an error is returned. If a key exists with the name but has no data, nothing is returned.
Examples
Retrieve the data of the key "creds":
If K/V Version 1 secrets engine is enabled at "secret", the output has no metadata since there is no versioning information associated with the data:
Return only the "creds" "passcode" key:
Usage
Output options
-field
(string: "")
- Print only the field with the given name. Specifying this option will take precedence over other formatting directives. The result will not have a trailing newline making it ideal for piping to other processes.-format
(string: "table")
- Print the output in the given format. Valid formats are "table", "json", or "yaml". This can also be specified via theVAULT_FORMAT
environment variable.
Command options
-mount
(string: "")
- Specifies the path where the KV backend is mounted. If specified, the next argument will be interpreted as the secret path. If this flag is not specified, the next argument will be interpreted as the combined mount path and secret path, with /data/ automatically inserted for KV v2 secrets.-version
(int: 0)
- Specifies the version to return. If not set the latest version is returned.
kv list
The kv list
command returns a list of key names at the specified location. Folders are suffixed with /. The input must be a folder; list on a file will not return a value. Note that no policy-based filtering is performed on keys; do not encode sensitive information in key names. The values themselves are not accessible via this command.
Use this command to list all existing key names at a specific path.
Examples
List values under the key "my-app":
Usage
There are no flags beyond the standard set of flags included on all commands.
Output options
-mount
(string: "")
- Specifies the path where the KV backend is mounted. If specified, the next argument will be interpreted as the secret path. If this flag is not specified, the next argument will be interpreted as the combined mount path and secret path, with /data/ automatically inserted for KV v2 secrets.-format
(string: "table")
- Print the output in the given format. Valid formats are "table", "json", or "yaml". This can also be specified via theVAULT_FORMAT
environment variable.
kv metadata
NOTE: This is a K/V Version 2 secrets engine command, and not available for Version 1.
The kv metadata
command has subcommands for interacting with the metadata and versions for the versioned secrets (K/V Version 2 secrets engine) at the specified path.
Usage
kv metadata delete
The kv metadata delete
command deletes all versions and metadata for the provided key.
Examples
Deletes all versions and metadata of the key "creds":
kv metadata get
The kv metadata get
command retrieves the metadata of the versioned secrets at the given key name. If no key exists with that name, an error is returned.
Examples
Retrieves the metadata of the key name, "creds":
kv metadata put
The kv metadata put
command can be used to create a blank key in the K/V v2 secrets engine or to update key configuration for a specified key.
Examples
Create a key in the K/V v2 with no data at the key "creds":
Set the maximum number of versions to keep for the key "creds":
NOTE: If not set, the backend’s configured max version is used. Once a key has more than the configured allowed versions the oldest version will be permanently deleted.
Require Check-and-Set for the key "creds":
NOTE: When check-and-set is required, the key will require the cas
parameter to be set on all write requests. Otherwise, the backend’s configuration will be used.
Set the length of time before a version is deleted for the key "creds":
NOTE: If not set, the backend's configured Delete-Version-After is used. If set to a duration greater than the backend's, the backend's Delete-Version-After setting will be used. Any changes to the Delete-Version-After setting will only be applied to new versions.
Output options
-format
(string: "table")
- Print the output in the given format. Valid formats are "table", "json", or "yaml". This can also be specified via theVAULT_FORMAT
environment variable.
Subcommand options
-cas-required
(bool: false)
- If true the key will require the cas parameter to be set on all write requests. If false, the backend’s configuration will be used. The default is false.-max-versions
(int: 0)
- The number of versions to keep per key. If not set, the backend’s configured max version is used. Once a key has more than the configured allowed versions the oldest version will be permanently deleted.-delete-version-after
(string:"0s")
– Set thedelete-version-after
value to a duration to specify thedeletion_time
for all new versions written to this key. If not set, the backend'sdelete_version_after
will be used. If the value is greater than the backend'sdelete_version_after
, the backend'sdelete_version_after
will be used. Accepts duration format strings.-custom-metadata
(string: "")
- Specifies a key-value pair for thecustom_metadata
field. This can be specified multiple times to add multiple pieces of metadata.-mount
(string: "")
- Specifies the path where the KV backend is mounted. If specified, the next argument will be interpreted as the secret path. If this flag is not specified, the next argument will be interpreted as the combined mount path and secret path, with /data/ automatically inserted for KV v2 secrets.
kv patch
NOTE: This is a K/V Version 2 secrets engine command, and not available for Version 1.
The kv patch
command writes the data to the given path in the K/V v2 secrets engine. The data can be of any type. Unlike the kv put
command, the patch
command combines the change with existing data instead of replacing them. Therefore, this command makes it easy to make a partial updates to an existing data.
Examples
If you wish to add an additional key-value (ttl=48h
) to the existing data at the key "creds":
NOTE: The kv put
command requires both the existing data and the data you wish to add in order to accomplish the same result.
The data can also be consumed from a file on disk by prefixing with the "@" symbol. For example:
Or it can be read from stdin using the "-" symbol:
Usage
Output options
-field
(string: "")
- Print only the field with the given name. Specifying this option will take precedence over other formatting directives. The result will not have a trailing newline making it ideal for piping to other processes.-format
(string: "table")
- Print the output in the given format. Valid formats are "table", "json", or "yaml". This can also be specified via theVAULT_FORMAT
environment variable.
Command options
-method
(string: "patch")
- Specifies the patch method to use. Valid methods arepatch
andrw
. Thepatch
method uses an HTTPPATCH
request to apply the partial update. Therw
method will fetch the secret's data, perform an in-memory update, and write the updated data.-cas
(int: 0)
- Specifies the value to use for the Check-And-Set operation. This flag will only be used for thepatch
method. This flag is required ifcas_required
is set totrue
on either the secret or the engine's config. In order for apatch
to be successful,-cas
must be set to the current version of the secret. This flag will be ignored for therw
method. Instead, its value will be derived from fetching the current version of the secret.-mount
(string: "")
- Specifies the path where the KV backend is mounted. If specified, the next argument will be interpreted as the secret path. If this flag is not specified, the next argument will be interpreted as the combined mount path and secret path, with /data/ automatically inserted for KV v2 secrets.
kv put
The kv put
command writes the data to the given path in the K/V secrets engine.
If working with K/V v2, this command creates a new version of a secret at the specified location. If working with K/V v1, this command stores the given secret at the specified location.
Regardless of the K/V version, if the value does not yet exist at the specified path, the calling token must have an ACL policy granting the "create" capability. If the value already exists, the calling token must have an ACL policy granting the "update" capability.
Examples
Writes the data to the key "creds":
The data can also be consumed from a file on disk by prefixing with the "@" symbol. For example:
Or it can be read from stdin using the "-" symbol:
Usage
There are no flags beyond the standard set of flags included on all commands.
Output options
-field
(string: "")
- Print only the field with the given name. Specifying this option will take precedence over other formatting directives. The result will not have a trailing newline making it ideal for piping to other processes.-format
(string: "table")
- Print the output in the given format. Valid formats are "table", "json", or "yaml". This can also be specified via theVAULT_FORMAT
environment variable.
Command options
-cas
(int: 0)
- Specifies to use a Check-And-Set operation. If not set the write will be allowed. In order for a write to be successful,cas
must be set to the current version of the secret. If set to 0 a write will only be allowed if the key doesn’t exist as unset keys do not have any version information. Also remember that soft deletes do not remove any underlying version data from storage. In order to write to a soft deleted key, the cas parameter must match the key's current version. The default is -1.-mount
(string: "")
- Specifies the path where the KV backend is mounted. If specified, the next argument will be interpreted as the secret path. If this flag is not specified, the next argument will be interpreted as the combined mount path and secret path, with /data/ automatically inserted for KV v2 secrets.
kv rollback
NOTE: This is a K/V Version 2 secrets engine command, and not available for Version 1.
The kv rollback
command restores a given previous version to the current version at the given path. The value is written as a new version; for instance, if the current version is 5 and the rollback version is 2, the data from version 2 will become version 6. This command makes it easy to restore unintentionally overwritten data.
Examples
Restores the version 2 of the data at key "creds":
Usage
There are no flags beyond the standard set of flags included on all commands.
Output options
-format
(string: "table")
- Print the output in the given format. Valid formats are "table", "json", or "yaml". This can also be specified via theVAULT_FORMAT
environment variable.
Command options
-mount
(string: "")
- Specifies the path where the KV backend is mounted. If specified, the next argument will be interpreted as the secret path. If this flag is not specified, the next argument will be interpreted as the combined mount path and secret path, with /data/ automatically inserted for KV v2 secrets.-version
(int: 0)
- Specifies the version number that should be made current again.
kv undelete
NOTE: This is a K/V Version 2 secrets engine command, and not available for Version 1.
The kv undelete
command undoes the deletes of the data for the provided version and path in the key-value store. This restores the data, allowing it to be returned on get requests.
Examples
Undelete version 3 of the key "creds":
Usage
There are no flags beyond the standard set of flags included on all commands.
Output options
-format
(string: "table")
- Print the output in the given format. Valid formats are "table", "json", or "yaml". This can also be specified via theVAULT_FORMAT
environment variable.
Command options
-mount
(string: "")
- Specifies the path where the KV backend is mounted. If specified, the next argument will be interpreted as the secret path. If this flag is not specified, the next argument will be interpreted as the combined mount path and secret path, with /data/ automatically inserted for KV v2 secrets.-versions
([]int: <required>)
- Specifies the version number that should be made current again.
Last updated