1

I am implementing Spring Boot vault. Whenever I try to add more than one key, only the last one is saved. For example, at this page, https://www.javainuse.com/spring/cloud-vault, they have this example

enter image description here

But when I then query the vault, I see

c:\vault>vault kv get secret/javainuseapp
======= Data =======
Key           Value
---           -----
dbpassword    root

If I set both keys at the same time, it seems to work

c:\vault>vault kv put secret/javainuseapp dbusername=root dbpassword=root
Success! Data written to: secret/javainuseapp

c:\vault>vault kv get secret/javainuseapp
======= Data =======
Key           Value
---           -----
dbpassword    root
dbusername    root

How does one add additional keys?

Peter Kronenberg
  • 878
  • 10
  • 32

1 Answers1

1

This is standard usage for the Vault API, and therefore also for the CLI which is a wrapper around the Golang bindings around the REST API. If you want to overwrite a key value pair with the Vault CLI and retain the former key value pairs, then you must additionally specify them like you did in the final example:

kv put secret/javainuseapp dbusername=root dbpassword=root

All key value pairs specified during the command for a specific path will be stored at that secret version (the version corresponding to an integer equal to the number of writes at that path, unless previous versions are deleted). All key value pairs are still stored, but at the previous secret version. When you execute the command vault kv get secret/javainuseapp, you are retrieving the secret at the current version corresponding to the most recent write.

However, note that if the Vault policy or policies support patch operations on the secret path for the associated role/user/etc., then you can also execute a patch subcommand to only update one key value pair while retaining the others in the newest version of the secret:

vault kv patch secret/javainuseapp dbusername=root

and in that situation the dbpassword key will be retained in the newest secret version.

Matthew Schuchard
  • 25,172
  • 3
  • 47
  • 67
  • Thanks. Are you saying that if I do a `put` of an additional value, the other values are still retained, but the `get` doesn't show them? I tried doing a `patch`, but apparently my kv is at version 1 and I need version 2. How can I enabled support for `patch`? Can you point to any resources where this is documented more thoroughly? – Peter Kronenberg Dec 09 '21 at 16:19
  • 1
    As written above in the answer, the write of a secret at the specified path contains only the specified key value pairs in the newest version, and the read with `kv get` implicitly retrieves only the latest version. If you retrieved multiple versions, that would likely cause problems for you. – Matthew Schuchard Dec 09 '21 at 16:56
  • 1
    KV version 1 has been deprecated for a few years now, so it would be highly advised to upgrade ASAP. As described in the answer, you can enable `patch` capabilities in the policy for the secret at that path. I had assumed based on the question you had developed the policies, but just in case here is the documentation for further information: https://www.vaultproject.io/docs/concepts/policies – Matthew Schuchard Dec 09 '21 at 16:58