Vault CLI Basics of Secrets Manager
Prerequisites
Section titled “Prerequisites”This document describes only the most important commands of the Vault CLI in order to deal with secrets. If you want to dive in deeper visit the official HashiCorp Vault CLI documentation.
Create secrets
Section titled “Create secrets”In order to create a secret, you have to know mount path. In our example the mount path is “cfd57686-620f-48e4-8590-26d93cedd549”. Replace the mount path with the ID of your secrets manager instance.
The path in this example is “awesome-secret”. In addition to that, we want to provide a key-value-pair. The key is the name of the secret and the value the secret itself. In this example the name is “mysecret” and the secret itself is “myAw350M353CR3T!”.
The command to create a secret looks like this:
$ vault kv put -mount=cfd57686-620f-48e4-8590-26d93cedd549 awesome-secret mysecret=myAw350M353CR3T!If you want to provide more key-value-pairs for your secret just add a space and more key-value-pairs. You will get a response at your terminal which looks like this:
== Secret Path == cfd57686-620f-48e4-8590-26d93cedd549/data/awesome-secret ======= Metadata ======= Key Value --- ----- created\_time 2022-06-15T19:36:54.389113Z custom\_metadata deletion\_time n/a destroyed false version 1To verify that your secret was created correctly check the UI or continue with the next paragraph to learn how to read secrets with the CLI.
Read secrets
Section titled “Read secrets”We need some parameters in order to retrieve the stored secrets. As mentioned above we need the mount path (“cfd57686-620f-48e4-8590-26d93cedd549”) and the path (“awesome-secret”).
The command to read the secrets looks like this:
$ vault kv get -mount=cfd57686-620f-48e4-8590-26d93cedd549 awesome-secretThis command returns all secrets that are stored in that path. It can look like this:
== Secret Path == cfd57686-620f-48e4-8590-26d93cedd549/data/awesome-secret ======= Metadata ======= Key Value --- ----- created\_time 2022-01-15T01:40:09.888293Z custom\_metadata deletion\_time n/a destroyed false version 2 ===== Data ===== Key Value --- ----- mysecret myAw350M353CR3T!......In case we want to retrieve the secret itself without the other information we have to provide the “key” which goes as the parameter “field”. This would look like this:
$ vault kv get -mount=cfd57686-620f-48e4-8590-26d93cedd549 -field=mysecret awesome-secretThe answer is:
myAw350M353CR3T!Change secrets
Section titled “Change secrets”To change a secret we use the same command as for creating a new secret:
$ vault kv put -mount=cfd57686-620f-48e4-8590-26d93cedd549 awesome-secret mysecret=Ihave1AnotherSecret!The only difference is the value (password). Now we get a different result than before:
== Secret Path == cfd57686-620f-48e4-8590-26d93cedd549/data/awesome-secret ======= Metadata ======= Key Value --- ----- created\_time 2022-06-15T19:36:54.389113Z custom\_metadata deletion\_time n/a destroyed false version 2The version of the secret incremented.
Delete secrets
Section titled “Delete secrets”To dlete a secret we need the mount path and the path.
The command looks like this:
$ vault kv delete -mount=cfd57686-620f-48e4-8590-26d93cedd549 awesome-secretThe response looks like:
Success! Data deleted (if it existed) at: cfd57686-620f-48e4-8590-26d93cedd549/data/awesome-secretIf you want to read the secret you get the response:
== Secret Path == cfd57686-620f-48e4-8590-26d93cedd549/data/awesome-secret ======= Metadata ======= Key Value --- ----- created\_time 2022-01-15T01:40:09.888293Z custom\_metadata deletion\_time 2022-01-15T01:40:41.786995Z destroyed false version 1It takes some time until the secret is fully deleted, but then no data will be displayed.