Support mv operation in v2 of kv secrets engine

Question

Support mv operation in v2 of kv secrets engine

Opened this issue 5 years ago · 3 comments

I am not sure if vault-cli is expected to work with v2 of kv in general since I had to add the 'data/' in the secret path myself to fetch secrets with the 'get' subcommand. With 'mv' subcommand I was not so lucky though. Here is the debug output.

$ vault -vv mv kv/data/path/to/secret kv/data/new/path/to/secret
INFO:vault_cli.cli:Log level set to DEBUG
INFO:vault_cli.settings:Reading yaml config file at ./vault.yml, contains keys: token, url, verify
DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): vaultserver.example.org:8200
DEBUG:urllib3.connectionpool:https://vaultserver.example.org:8200 "GET /v1/kv/data/path/to/secret?list=True HTTP/1.1" 405 64
DEBUG:urllib3.connectionpool:https://vaultserver.example.org:8200 "GET /v1/kv/data/path/to/secret HTTP/1.1" 200 410
Move 'kv/data/path/to/secret' to 'kv/data/new/path/to/secret'
DEBUG:urllib3.connectionpool:https://vaultserver.example.org:8200 "GET /v1/kv/data/new/path/to/secret HTTP/1.1" 200 312
DEBUG:urllib3.connectionpool:https://vaultserver.example.org:8200 "GET /v1/kv/data/new/path/to/secret?list=True HTTP/1.1" 405 64
Error: Unexpected vault error

The List operation of Vault API should be done differently (https://www.vaultproject.io/api/secret/kv/kv-v2.html#list-secrets) in version 2 of kv secrets engine, so I guess the problem has to do with this.

Answer 1 · 2020-02-05T17:36:07.000Z

Hello, and thanks for your report !

I think v2 has not been supported yet. It might be an excellent idea to do so, maybe through a configuration parameter.
Would you be interested in working in this direction ? Otherwise, I'm not sure I'll be working on v2 right away. If you're interested, though, I'll be delighted to provide support and guidance, and help you shape design decisions :) !

Answer 2 · 2020-02-06T11:44:53.000Z

So, if I am not wrong, this tool is currently designed to work with version 1 of kv secrets engine. Not other secrets engines, not version 2 of kv. Right? In that case, I guess I could look at supporting v2 too, with relatively not that many changes in the code. But, if the intention / plan is to support more secret engines in the future, I guess there is a lot more work that has to be done, perhaps changing the design to something more abstract.

Answer 3 · 2020-02-06T15:21:11.000Z

So, if I am not wrong, this tool is currently designed to work with version 1 of kv secrets engine. Not other secrets engines, not version 2 of kv. Right?

Right!

But, if the intention / plan is to support more secret engines in the future, I guess there is a lot more work that has to be done

Hm, I believe we plan to use the PKI secret engine at some point, and we may want to use that tool for other secret engines too, so, you're absolutely right in the sense that an abstraction layer will be required. I understand if you'd rather not start that kind of work. On my side, I have quite little experience regarding vault secret engines so far, so I'll need to play with it first.