Add requested generated secret example (#20556)

* Add requested generated secret example

* Fix code block types

* Update website/content/docs/secrets/kv/kv-v1.mdx

Co-authored-by: Yoko Hyakuna <yoko@hashicorp.com>

* Update website/content/docs/secrets/kv/kv-v2.mdx

Co-authored-by: Yoko Hyakuna <yoko@hashicorp.com>

---------

Co-authored-by: Yoko Hyakuna <yoko@hashicorp.com>
This commit is contained in:
Jonathan Frappier 2023-05-10 18:21:26 -04:00 committed by GitHub
parent b5606770f6
commit 82427e355f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 133 additions and 19 deletions

View File

@ -28,8 +28,8 @@ secret's path.
To enable a version 1 kv store: To enable a version 1 kv store:
``` ```shell-session
vault secrets enable -version=1 kv $ vault secrets enable -version=1 kv
``` ```
## Usage ## Usage
@ -40,14 +40,14 @@ allows for writing keys with arbitrary values.
1. Write arbitrary data: 1. Write arbitrary data:
```text ```shell-session
$ vault kv put kv/my-secret my-value=s3cr3t $ vault kv put kv/my-secret my-value=s3cr3t
Success! Data written to: kv/my-secret Success! Data written to: kv/my-secret
``` ```
1. Read arbitrary data: 1. Read arbitrary data:
```text ```shell-session
$ vault kv get kv/my-secret $ vault kv get kv/my-secret
Key Value Key Value
--- ----- --- -----
@ -56,7 +56,7 @@ allows for writing keys with arbitrary values.
1. List the keys: 1. List the keys:
```text ```shell-session
$ vault kv list kv/ $ vault kv list kv/
Keys Keys
---- ----
@ -65,11 +65,50 @@ allows for writing keys with arbitrary values.
1. Delete a key: 1. Delete a key:
``` ```shell-session
$ vault kv delete kv/my-secret $ vault kv delete kv/my-secret
Success! Data deleted (if it existed) at: kv/my-secret Success! Data deleted (if it existed) at: kv/my-secret
``` ```
You can also use [Vault's password policy](/vault/docs/concepts/password-policies) feature to generate arbitrary values.
1. Write a password policy:
```shell-session
$ vault write sys/policies/password/example policy=-<<EOF
length=20
rule "charset" {
charset = "abcdefghij0123456789"
min-chars = 1
}
rule "charset" {
charset = "!@#$%^&*STUVWXYZ"
min-chars = 1
}
EOF
```
1. Write data using the `example` policy:
```shell-session
$ vault kv put kv/my-generated-secret \
password=$(vault read -field password sys/policies/password/example/generate)
```
1. Read the generated data:
```shell-session
$ vault kv get kv/my-generated-secret
====== Data ======
Key Value
--- -----
password ^dajd609Xf8Zhac$dW24
```
## TTLs ## TTLs
Unlike other secrets engines, the KV secrets engine does not enforce TTLs Unlike other secrets engines, the KV secrets engine does not enforce TTLs

View File

@ -63,7 +63,9 @@ $ cat payload.json
"version": "2" "version": "2"
} }
} }
```
```shell-session
$ curl \ $ curl \
--header "X-Vault-Token: ..." \ --header "X-Vault-Token: ..." \
--request POST \ --request POST \
@ -81,7 +83,7 @@ differently.
Writing and reading versions are prefixed with the `data/` path. This policy Writing and reading versions are prefixed with the `data/` path. This policy
that worked for the version 1 kv: that worked for the version 1 kv:
``` ```plaintext
path "secret/dev/team-1/*" { path "secret/dev/team-1/*" {
capabilities = ["create", "update", "read"] capabilities = ["create", "update", "read"]
} }
@ -89,7 +91,7 @@ path "secret/dev/team-1/*" {
Should be changed to: Should be changed to:
``` ```plaintext
path "secret/data/dev/team-1/*" { path "secret/data/dev/team-1/*" {
capabilities = ["create", "update", "read"] capabilities = ["create", "update", "read"]
} }
@ -98,7 +100,7 @@ path "secret/data/dev/team-1/*" {
There are different levels of data deletion for this backend. To grant a policy There are different levels of data deletion for this backend. To grant a policy
the permissions to delete the latest version of a key: the permissions to delete the latest version of a key:
``` ```plaintext
path "secret/data/dev/team-1/*" { path "secret/data/dev/team-1/*" {
capabilities = ["delete"] capabilities = ["delete"]
} }
@ -106,7 +108,7 @@ path "secret/data/dev/team-1/*" {
To allow the policy to delete any version of a key: To allow the policy to delete any version of a key:
``` ```plaintext
path "secret/delete/dev/team-1/*" { path "secret/delete/dev/team-1/*" {
capabilities = ["update"] capabilities = ["update"]
} }
@ -114,7 +116,7 @@ path "secret/delete/dev/team-1/*" {
To allow a policy to undelete data: To allow a policy to undelete data:
``` ```plaintext
path "secret/undelete/dev/team-1/*" { path "secret/undelete/dev/team-1/*" {
capabilities = ["update"] capabilities = ["update"]
} }
@ -122,7 +124,7 @@ path "secret/undelete/dev/team-1/*" {
To allow a policy to destroy versions: To allow a policy to destroy versions:
``` ```plaintext
path "secret/destroy/dev/team-1/*" { path "secret/destroy/dev/team-1/*" {
capabilities = ["update"] capabilities = ["update"]
} }
@ -130,7 +132,7 @@ path "secret/destroy/dev/team-1/*" {
To allow a policy to list keys: To allow a policy to list keys:
``` ```plaintext
path "secret/metadata/dev/team-1/*" { path "secret/metadata/dev/team-1/*" {
capabilities = ["list"] capabilities = ["list"]
} }
@ -138,7 +140,7 @@ path "secret/metadata/dev/team-1/*" {
To allow a policy to view metadata for each version: To allow a policy to view metadata for each version:
``` ```plaintext
path "secret/metadata/dev/team-1/*" { path "secret/metadata/dev/team-1/*" {
capabilities = ["read"] capabilities = ["read"]
} }
@ -146,7 +148,7 @@ path "secret/metadata/dev/team-1/*" {
To allow a policy to permanently remove all versions and metadata for a key: To allow a policy to permanently remove all versions and metadata for a key:
``` ```plaintext
path "secret/metadata/dev/team-1/*" { path "secret/metadata/dev/team-1/*" {
capabilities = ["delete"] capabilities = ["delete"]
} }
@ -207,11 +209,11 @@ real path).
1. Write another version, the previous version will still be accessible. The 1. Write another version, the previous version will still be accessible. The
`-cas` flag can optionally be passed to perform a check-and-set operation. If `-cas` flag can optionally be passed to perform a check-and-set operation. If
not set the write will be allowed. In order for a write to be successful, `cas` must be set to not set the write will be allowed. In order for a write to be successful, `cas` must be set to
the current version of the secret. If set to 0 a write will only be allowed if the current version of the secret. If set to 0 a write will only be allowed if
the key doesnt exist as unset keys do not have any version information. Also the key doesnt exist as unset keys do not have any version information. Also
remember that soft deletes do not remove any underlying version data from storage. remember that soft deletes do not remove any underlying version data from storage.
In order to write to a soft deleted key, the cas parameter must match the key's In order to write to a soft deleted key, the cas parameter must match the key's
current version. current version.
```shell-session ```shell-session
@ -339,6 +341,77 @@ real path).
bar b bar b
``` ```
You can also use [Vault's password policy](/vault/docs/concepts/password-policies) feature to generate arbitrary values.
1. Write a password policy:
```shell-session
$ vault write sys/policies/password/example policy=-<<EOF
length=20
rule "charset" {
charset = "abcdefghij0123456789"
min-chars = 1
}
rule "charset" {
charset = "!@#$%^&*STUVWXYZ"
min-chars = 1
}
EOF
```
1. Write data using the `example` policy:
```shell-session
$ vault kv put -mount=secret my-generated-secret \
password=$(vault read -field password sys/policies/password/example/generate)
```
**Example output:**
<CodeBlockConfig hideClipboard>
```plaintext
========= Secret Path =========
secret/data/my-generated-secret
======= Metadata =======
Key Value
--- -----
created_time 2023-05-10T14:32:32.37354939Z
custom_metadata <nil>
deletion_time n/a
destroyed false
version 1
```
</CodeBlockConfig>
1. Read the generated data:
```shell-session
$ vault kv get -mount=secret my-generated-secret
========= Secret Path =========
secret/data/my-generated-secret
======= Metadata =======
Key Value
--- -----
created_time 2023-05-10T14:32:32.37354939Z
custom_metadata <nil>
deletion_time n/a
destroyed false
version 1
====== Data ======
Key Value
--- -----
password !hh&be1e4j16dVc0ggae
```
### Deleting and Destroying Data ### Deleting and Destroying Data
When deleting data the standard `vault kv delete` command will perform a When deleting data the standard `vault kv delete` command will perform a
@ -517,7 +590,9 @@ See the commands below for more information:
```shell-session ```shell-session
$ vault kv metadata patch -mount=secret -custom-metadata=foo=def my-secret $ vault kv metadata patch -mount=secret -custom-metadata=foo=def my-secret
Success! Data written to: secret/metadata/my-secret Success! Data written to: secret/metadata/my-secret
```
```shell-session
$ vault kv get -mount=secret my-secret $ vault kv get -mount=secret my-secret
====== Metadata ====== ====== Metadata ======
Key Value Key Value