From 435363ef2a2bcb90650e846afe6b845475a04369 Mon Sep 17 00:00:00 2001
From: hc-github-team-secure-vault-core
 <82990506+hc-github-team-secure-vault-core@users.noreply.github.com>
Date: Fri, 27 Oct 2023 12:42:18 -0400
Subject: [PATCH] backport of commit 425b1e333d008f37fe517ee3c886e8fe96c3e5ce
 (#23885)

Co-authored-by: Josh Black <raskchanky@gmail.com>
---
 changelog/23872.txt         | 3 +++
 physical/etcd/etcd3.go      | 4 ++--
 physical/etcd/etcd3_test.go | 2 +-
 3 files changed, 6 insertions(+), 3 deletions(-)
 create mode 100644 changelog/23872.txt

diff --git a/changelog/23872.txt b/changelog/23872.txt
new file mode 100644
index 000000000..b486fd258
--- /dev/null
+++ b/changelog/23872.txt
@@ -0,0 +1,3 @@
+```release-note:improvement
+storage/etcd: etcd should only return keys when calling List()
+```
diff --git a/physical/etcd/etcd3.go b/physical/etcd/etcd3.go
index 57a838a69..8501a8b40 100644
--- a/physical/etcd/etcd3.go
+++ b/physical/etcd/etcd3.go
@@ -14,7 +14,7 @@ import (
 	"sync"
 	"time"
 
-	metrics "github.com/armon/go-metrics"
+	"github.com/armon/go-metrics"
 	log "github.com/hashicorp/go-hclog"
 	"github.com/hashicorp/go-secure-stdlib/parseutil"
 	"github.com/hashicorp/go-secure-stdlib/strutil"
@@ -238,7 +238,7 @@ func (c *EtcdBackend) List(ctx context.Context, prefix string) ([]string, error)
 	ctx, cancel := context.WithTimeout(context.Background(), c.requestTimeout)
 	defer cancel()
 	prefix = path.Join(c.path, prefix) + "/"
-	resp, err := c.etcd.Get(ctx, prefix, clientv3.WithPrefix())
+	resp, err := c.etcd.Get(ctx, prefix, clientv3.WithPrefix(), clientv3.WithKeysOnly())
 	if err != nil {
 		return nil, err
 	}
diff --git a/physical/etcd/etcd3_test.go b/physical/etcd/etcd3_test.go
index a2de6314d..9156fc136 100644
--- a/physical/etcd/etcd3_test.go
+++ b/physical/etcd/etcd3_test.go
@@ -26,7 +26,7 @@ func TestEtcd3Backend(t *testing.T) {
 		"username": "root",
 		"password": "insecure",
 
-		// Syncing adverticed client urls should be disabled since docker port mapping confuses the client.
+		// Syncing advertised client urls should be disabled since docker port mapping confuses the client.
 		"sync": "false",
 	}