Set version limit for Secrets Manager
The Secrets Manager allows you to securely store and manage different versions of your sensitive data (Secrets). This is particularly useful for tracking changes and reverting to older states if needed. You can define the number of versions to retain at two levels:
- Instance Level: Here, you set a global limit for all secrets within your current Secrets Manager instance.
- Secret Level: Here, you can set specific limits for individual secrets that differ from the instance-wide setting. The default version limit on instances is unlimited (Value = 0). The default version limit on secrets is set to inherit the instances limit. It can be overwritten. The secrets limit always overrules the instances limit (unless 0/inherit is set).
Setting environment variables
Section titled “Setting environment variables”To set environment variables, you need to log in with an secrets manager user. The following environment variables can be set:
export VAULT\_TOKEN=$(vault token lookup --format=json | jq -r.data.id) export VAULT\_ADDR="https://prod.sm.eu01.stackit.cloud" export INSTANCE\_ID='The ID of your secrets manager instance' export SECRET='The path of the secret you want to change'Set instance version limit
Section titled “Set instance version limit”This setting will apply by default to all created secrets in your instance.
curl --header "X-Vault-Token: $VAULT\_TOKEN" \\ --header "Content-Type: application/json" \\ --request POST \\ --data '{"max\_versions":100}' \\ $VAULT\_ADDR/v1/$INSTANCE\_ID/configvault write $INSTANCE\_ID/config max\_versions=100The default version limit at the instance level can be set when creating a Secrets Manager. For an existing Secrets Manager, it can be modified in Security > Secrets Manager. Select your Secrets Manager from the list by clicking on it. On the sidebar menu on the left navigate to Overview to see the General information displayed on the right. Next to the headline General information click the button Edit:
Change the version limit. Please note that setting the version limit too low may result in the deletion of older versions. Click on Save to apply the changes:
Check instance version limit
Section titled “Check instance version limit”curl --header "X-Vault-Token: $VAULT\_TOKEN" \\ --request GET \\ $VAULT\_ADDR/v1/$INSTANCE\_ID/configvault read $INSTANCE\_ID/configInformation about the current instance version limit can be found in the dashboard in Overview > General Information.
Set secret version limit
Section titled “Set secret version limit”This setting allows you to define different version limits for specific, individual secrets. This is useful when certain secrets require a longer or shorter history than others.
Setting the version limit can be done either via a PATCH or PUT/POST request.
The PUT/POST overwrites other configurations and custom metadata on the secret level. A PATCH request would just update the version limit, keeping the other configurations.
PUT/POST Request
Section titled “PUT/POST Request”curl --header "X-Vault-Token: $VAULT\_TOKEN" \\ --header "Content-Type: application/json" \\ --request POST \\ --data '{"max\_versions": 50}' \\ $VAULT\_ADDR/v1/$INSTANCE\_ID/metadata/$SECRETvault kv metadata put -mount=$INSTANCE\_ID -max-versions=50 $SECRETPATCH Request
Section titled “PATCH Request”curl --header "X-Vault-Token: $VAULT\_TOKEN" \\ --header "Content-Type: application/merge-patch+json" \\ --request PATCH \\ --data '{"max\_versions": 50}' \\ $VAULT\_ADDR/v1/$INSTANCE\_ID/metadata/$SECRETvault kv metadata patch -mount=$INSTANCE\_ID -max-versions=50 $SECRETSelect the secret for which you want an individual version limit.
In General information click Edit. The version limit can be set individually or reset to continue inheriting from the instance.
For example: An instance-level version limit of 123 is set. This will be applied to the secret, because its individual setting is at 0 (inherit). Now you can overwrite the inherited version limit 123 by the individual secret’s setting. At the individual secret’s settings enter a number that does not equal 0.
Check secret version limit
Section titled “Check secret version limit”curl --header "X-Vault-Token: $VAULT\_TOKEN" \\ --request GET \\ $VAULT\_ADDR/v1/$INSTANCE\_ID/metadata/$SECRETvault kv metadata get -mount=$INSTANCE\_ID $SECRETWhen a secret is selected, find the version limit at the secret level in Overview > General information.