luxolus/open-vault
2
0
Fork 0
Code Issues 1 Pull requests Releases Activity
open-vault/website/source/docs/secrets/cubbyhole/index.html.md
Raja Nadar 64c9eb969d added the delete api details to cubbyhole 
cubbyhole delete api details were missing. added them.
2016-01-25 23:47:33 -08:00

3.9 KiB
Raw Blame History

layout page_title sidebar_current description
docs Secret Backend: Cubbyhole docs-secrets-cubbyhole The cubbyhole secret backend can store arbitrary secrets scoped to a single token.

Cubbyhole Secret Backend

Name: cubbyhole

The cubbyhole secret backend is used to store arbitrary secrets within the configured physical storage for Vault. It is mounted at the cubbyhole/ prefix by default and cannot be mounted elsewhere or removed.

This backend differs from the generic backend in that the generic backend's values are accessible to any token with read privileges on that path. In this backend, paths are scoped per token; no token can read secrets placed in another token's cubbyhole. When the token expires, its cubbyhole is destroyed.

Also unlike the generic backend, because the cubbyhole's lifetime is linked to an authentication token, there is no concept of a lease or lease TTL for values contained in the token's cubbyhole.

Writing to a key in the cubbyhole backend will replace the old value; the sub-fields are not merged together.

Quick Start

The cubbyhole backend allows for writing keys with arbitrary values.

As an example, we can write a new key "foo" to the cubbyhole backend, which is mounted at cubbyhole/:

$ vault write cubbyhole/foo \
    zip=zap
Success! Data written to: cubbyhole/foo

This writes the key with the "zip" field set to "zap". We can test this by doing a read:

$ vault read cubbyhole/foo
Key           	Value
zip           	zap

As expected, the value previously set is returned to us.

API

GET

Description
Retrieves the secret at the specified location.
Method
GET
URL
`/cubbyhole/`
Parameters
None
Returns
```javascript
{
  "auth": null,
  "data": {
    "foo": "bar"
  },
  "lease_duration": 0,
  "lease_id": "",
  "renewable": false
}
```

LIST

Description
Returns a list of secret entries at the specified location. Folders are suffixed with `/`. The input must be a folder; list on a file will not return a value. Note that no policy-based filtering is performed on returned keys; it is not recommended to put sensitive or secret values as key names. The values themselves are not accessible via this command.
Method
GET
URL
`/cubbyhole/?list=true`
Parameters
None
Returns
The example below shows output for a query path of `cubbyhole/` when there are secrets at `cubbyhole/foo` and `cubbyhole/foo/bar`; note the difference in the two entries. 
{
  "auth": null,
  "data": {
    "keys": ["foo", "foo/"]
  },
  "lease_duration": 2592000,
  "lease_id": "",
  "renewable": false
}

POST/PUT

Description
Stores a secret at the specified location.
Method
POST/PUT
URL
`/cubbyhole/`
Parameters
  • (key) optional A key, paired with an associated value, to be held at the given location. Multiple key/value pairs can be specified, and all will be returned on a read operation.
Returns
A `204` response code.

DELETE

Description
Deletes the secret at the specified location.
Method
DELETE
URL
`/cubbyhole/`
Parameters
None
Returns
A `204` response code.