-
Notifications
You must be signed in to change notification settings - Fork 17
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add automatic veryfication of Vault KV version #17
Comments
Generally speaking 'secret' backend may be mount on any arbitrary path. On HashiConf I've asked Vault developers to support some extension http header in responses with KV version, though hadn't succeed to push such idea. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
In #11 was the comment -
"Unfortunately it's unclear how do that automatically since secret backend could be mounted anywhere"
Actually, it is not a very comfortable to update manually hundreds parameter variables which use values from Vault (secret/test -> secret/data/test) in case of migration from KV to KV v2.
However, I guess that it is possible to get a secret backend name from a secret path - the first word (e.g. secret/test -> secret/) and then use such request:
"curl --header "X-Vault-Token: " <VAULT_ADDRESS>/v1/sys/mounts"
for checking a version of secret backend. The Vault ACL rule is required for this:
path "sys/mounts" {
policy = "read"
}
I'd like to pay your attention that secret backend v1 can be have two possible types:
"kv"
"generic".
It makes migration process (KV -> KVv2) much more easier in case the plugin will be able to identify KV version on the fly
The text was updated successfully, but these errors were encountered: