a3dfde5cec
* conversion stage 1 * correct image paths * add sidebar title to frontmatter * docs/concepts and docs/internals * configuration docs and multi-level nav corrections * commands docs, index file corrections, small item nav correction * secrets converted * auth * add enterprise and agent docs * add extra dividers * secret section, wip * correct sidebar nav title in front matter for apu section, start working on api items * auth and backend, a couple directory structure fixes * remove old docs * intro side nav converted * reset sidebar styles, add hashi-global-styles * basic styling for nav sidebar * folder collapse functionality * patch up border length on last list item * wip restructure for content component * taking middleman hacking to the extreme, but its working * small css fix * add new mega nav * fix a small mistake from the rebase * fix a content resolution issue with middleman * title a couple missing docs pages * update deps, remove temporary markup * community page * footer to layout, community page css adjustments * wip downloads page * deps updated, downloads page ready * fix community page * homepage progress * add components, adjust spacing * docs and api landing pages * a bunch of fixes, add docs and api landing pages * update deps, add deploy scripts * add readme note * update deploy command * overview page, index title * Update doc fields Note this still requires the link fields to be populated -- this is solely related to copy on the description fields * Update api_basic_categories.yml Updated API category descriptions. Like the document descriptions you'll still need to update the link headers to the proper target pages. * Add bottom hero, adjust CSS, responsive friendly * Add mega nav title * homepage adjustments, asset boosts * small fixes * docs page styling fixes * meganav title * some category link corrections * Update API categories page updated to reflect the second level headings for api categories * Update docs_detailed_categories.yml Updated to represent the existing docs structure * Update docs_detailed_categories.yml * docs page data fix, extra operator page remove * api data fix * fix makefile * update deps, add product subnav to docs and api landing pages * Rearrange non-hands-on guides to _docs_ Since there is no place for these on learn.hashicorp, we'll put them under _docs_. * WIP Redirects for guides to docs * content and component updates * font weight hotfix, redirects * fix guides and intro sidenavs * fix some redirects * small style tweaks * Redirects to learn and internally to docs * Remove redirect to `/vault` * Remove `.html` from destination on redirects * fix incorrect index redirect * final touchups * address feedback from michell for makefile and product downloads
449 lines
12 KiB
Markdown
449 lines
12 KiB
Markdown
---
|
||
layout: "api"
|
||
page_title: "KV - Secrets Engines - HTTP API"
|
||
sidebar_title: "K/V Version 2"
|
||
sidebar_current: "api-http-secret-kv-v2"
|
||
description: |-
|
||
This is the API documentation for the Vault KV secrets engine.
|
||
---
|
||
|
||
# KV Secrets Engine - Version 2 (API)
|
||
|
||
This is the API documentation for the Vault KV secrets engine while running in
|
||
versioned mode. For general information about the usage and operation of the kv
|
||
secrets engine, please see the [Vault kv
|
||
documentation](/docs/secrets/kv/index.html).
|
||
|
||
This documentation assumes the kv secrets engine is enabled at the
|
||
`/secret` path in Vault and that versioning has been enabled. Since it is
|
||
possible to enable secrets engines at any location, please update your API calls
|
||
accordingly.
|
||
|
||
|
||
## Configure the KV Engine
|
||
|
||
This path configures backend level settings that are applied to every key in the
|
||
key-value store.
|
||
|
||
| Method | Path | Produces |
|
||
| :------- | :--------------------------- | :--------------------- |
|
||
| `POST` | `/secret/config` | `204 (empty body)` |
|
||
|
||
### Parameters
|
||
|
||
- `max_versions` `(int: 0)` – The number of versions to keep per key. This value
|
||
applies to all keys, but a key's metadata setting can overwrite this value.
|
||
Once a key has more than the configured allowed versions the oldest version
|
||
will be permanently deleted. Defaults to 10.
|
||
|
||
- `cas_required` `(bool: false)` – If true all keys will require the cas
|
||
parameter to be set on all write requests.
|
||
|
||
### Sample Payload
|
||
|
||
```json
|
||
{
|
||
"max_versions": 5,
|
||
"cas_required": false
|
||
}
|
||
```
|
||
|
||
### Sample Request
|
||
|
||
```
|
||
$ curl \
|
||
--header "X-Vault-Token: ..." \
|
||
--request POST \
|
||
--data @payload.json \
|
||
https://127.0.0.1:8200/v1/secret/config
|
||
```
|
||
|
||
|
||
## Read Secret Version
|
||
|
||
This endpoint retrieves the secret at the specified location.
|
||
|
||
| Method | Path | Produces |
|
||
| :------- | :--------------------------- | :--------------------- |
|
||
| `GET` | `/secret/data/:path` | `200 application/json` |
|
||
|
||
### Parameters
|
||
|
||
- `path` `(string: <required>)` – Specifies the path of the secret to read.
|
||
This is specified as part of the URL.
|
||
- `version` `(int: 0)` - Specifies the version to return. If not set the latest
|
||
version is returned.
|
||
|
||
### Sample Request
|
||
|
||
```
|
||
$ curl \
|
||
--header "X-Vault-Token: ..." \
|
||
https://127.0.0.1:8200/v1/secret/data/my-secret
|
||
```
|
||
|
||
### Sample Response
|
||
|
||
```json
|
||
{
|
||
"data": {
|
||
"data": {
|
||
"foo": "bar"
|
||
},
|
||
"metadata": {
|
||
"created_time": "2018-03-22T02:24:06.945319214Z",
|
||
"deletion_time": "",
|
||
"destroyed": false,
|
||
"version": 1
|
||
}
|
||
},
|
||
}
|
||
```
|
||
|
||
## Create/Update Secret
|
||
|
||
This endpoint creates a new version of a secret at the specified location. If
|
||
the value does not yet exist, the calling token must have an ACL policy granting
|
||
the `create` capability. If the value already exists, the calling token must
|
||
have an ACL policy granting the `update` capability.
|
||
|
||
| Method | Path | Produces |
|
||
| :------- | :--------------------------- | :--------------------- |
|
||
| `POST` | `/secret/data/:path` | `200 application/json` |
|
||
|
||
### Parameters
|
||
|
||
- `options` `(Map: <optional>)` – An object that holds option settings.
|
||
- `cas` `(int: <optional>)` - Set the "cas" value to use a Check-And-Set
|
||
operation. If not set the write will be allowed. If set to 0 a write will
|
||
only be allowed if the key doesn’t exist. If the index is non-zero the
|
||
write will only be allowed if the key’s current version matches the
|
||
version specified in the cas parameter.
|
||
|
||
- `data` `(Map: <required>)` – The contents of the data map will be stored and
|
||
returned on read.
|
||
|
||
### Sample Payload
|
||
|
||
```json
|
||
{
|
||
"options": {
|
||
"cas": 0
|
||
},
|
||
"data": {
|
||
"foo": "bar",
|
||
"zip": "zap"
|
||
}
|
||
}
|
||
```
|
||
|
||
### Sample Request
|
||
|
||
```
|
||
$ curl \
|
||
--header "X-Vault-Token: ..." \
|
||
--request POST \
|
||
--data @payload.json \
|
||
https://127.0.0.1:8200/v1/secret/data/my-secret
|
||
```
|
||
|
||
### Sample Response
|
||
```
|
||
{
|
||
"data": {
|
||
"created_time": "2018-03-22T02:36:43.986212308Z",
|
||
"deletion_time": "",
|
||
"destroyed": false,
|
||
"version": 1
|
||
}
|
||
}
|
||
```
|
||
|
||
## Delete Latest Version of Secret
|
||
|
||
This endpoint issues a soft delete of the secret's latest version at the
|
||
specified location. This marks the version as deleted and will stop it from
|
||
being returned from reads, but the underlying data will not be removed. A
|
||
delete can be undone using the `undelete` path.
|
||
|
||
| Method | Path | Produces |
|
||
| :------- | :--------------------------- | :--------------------- |
|
||
| `DELETE` | `/secret/data/:path` | `204 (empty body)` |
|
||
|
||
### Parameters
|
||
|
||
- `path` `(string: <required>)` – Specifies the path of the secret to delete.
|
||
This is specified as part of the URL.
|
||
|
||
### Sample Request
|
||
|
||
```
|
||
$ curl \
|
||
--header "X-Vault-Token: ..." \
|
||
--request DELETE \
|
||
https://127.0.0.1:8200/v1/secret/data/my-secret
|
||
```
|
||
|
||
## Delete Secret Versions
|
||
|
||
This endpoint issues a soft delete of the specified versions of the secret. This
|
||
marks the versions as deleted and will stop them from being returned from reads,
|
||
but the underlying data will not be removed. A delete can be undone using the
|
||
`undelete` path.
|
||
|
||
| Method | Path | Produces |
|
||
| :------- | :--------------------------- | :--------------------- |
|
||
| `POST` | `/secret/delete/:path` | `204 (empty body)` |
|
||
|
||
### Parameters
|
||
|
||
- `path` `(string: <required>)` – Specifies the path of the secret to delete.
|
||
This is specified as part of the URL.
|
||
- `versions` `([]int: <required>)` - The versions to be deleted. The versioned
|
||
data will not be deleted, but it will no longer be returned in normal get
|
||
requests.
|
||
|
||
### Sample Payload
|
||
|
||
```json
|
||
{
|
||
"versions": [1, 2]
|
||
}
|
||
```
|
||
|
||
### Sample Request
|
||
|
||
```
|
||
$ curl \
|
||
--header "X-Vault-Token: ..." \
|
||
--request POST \
|
||
--data @payload.json \
|
||
https://127.0.0.1:8200/v1/secret/delete/my-secret
|
||
```
|
||
|
||
## Undelete Secret Versions
|
||
|
||
Undeletes the data for the provided version and path in the key-value store.
|
||
This restores the data, allowing it to be returned on get requests.
|
||
|
||
| Method | Path | Produces |
|
||
| :------- | :--------------------------- | :--------------------- |
|
||
| `POST` | `/secret/undelete/:path` | `204 (empty body)` |
|
||
|
||
### Parameters
|
||
|
||
- `path` `(string: <required>)` – Specifies the path of the secret to undelete.
|
||
This is specified as part of the URL.
|
||
- `versions` `([]int: <required>)` - The versions to undelete. The versions will
|
||
be restored and their data will be returned on normal get requests.
|
||
|
||
### Sample Payload
|
||
|
||
```json
|
||
{
|
||
"versions": [1, 2]
|
||
}
|
||
```
|
||
|
||
### Sample Request
|
||
|
||
```
|
||
$ curl \
|
||
--header "X-Vault-Token: ..." \
|
||
--request POST \
|
||
--data @payload.json \
|
||
https://127.0.0.1:8200/v1/secret/undelete/my-secret
|
||
```
|
||
|
||
## Destroy Secret Versions
|
||
|
||
Permanently removes the specified version data for the provided key and version
|
||
numbers from the key-value store.
|
||
|
||
| Method | Path | Produces |
|
||
| :------- | :--------------------------- | :--------------------- |
|
||
| `POST` | `/secret/destroy/:path` | `204 (empty body)` |
|
||
|
||
### Parameters
|
||
|
||
- `path` `(string: <required>)` – Specifies the path of the secret to destroy.
|
||
This is specified as part of the URL.
|
||
- `versions` `([]int: <required>)` - The versions to destroy. Their data will be
|
||
permanently deleted.
|
||
|
||
### Sample Payload
|
||
|
||
```json
|
||
{
|
||
"versions": [1, 2]
|
||
}
|
||
```
|
||
|
||
### Sample Request
|
||
|
||
```
|
||
$ curl \
|
||
--header "X-Vault-Token: ..." \
|
||
--request POST \
|
||
--data @payload.json \
|
||
https://127.0.0.1:8200/v1/secret/destroy/my-secret
|
||
```
|
||
|
||
## List Secrets
|
||
|
||
This endpoint returns a list of key names at the specified location. Folders are
|
||
suffixed with `/`. The input must be a folder; list on a file will not return a
|
||
value. Note that no policy-based filtering is performed on keys; do not encode
|
||
sensitive information in key names. The values themselves are not accessible via
|
||
this command.
|
||
|
||
| Method | Path | Produces |
|
||
| :------- | :--------------------------- | :--------------------- |
|
||
| `LIST` | `/secret/metadata/:path` | `200 application/json` |
|
||
|
||
### Parameters
|
||
|
||
- `path` `(string: <required>)` – Specifies the path of the secrets to list.
|
||
This is specified as part of the URL.
|
||
|
||
### Sample Request
|
||
|
||
```
|
||
$ curl \
|
||
--header "X-Vault-Token: ..." \
|
||
--request LIST \
|
||
https://127.0.0.1:8200/v1/secret/metadata/my-secret
|
||
```
|
||
|
||
### Sample Response
|
||
|
||
The example below shows output for a query path of `secret/` when there are
|
||
secrets at `secret/foo` and `secret/foo/bar`; note the difference in the two
|
||
entries.
|
||
|
||
```json
|
||
{
|
||
"data": {
|
||
"keys": ["foo", "foo/"]
|
||
},
|
||
}
|
||
```
|
||
|
||
## Read Secret Metadata
|
||
|
||
This endpoint retrieves the metadata and versions for the secret at the
|
||
specified path.
|
||
|
||
| Method | Path | Produces |
|
||
| :------- | :--------------------------- | :--------------------- |
|
||
| `GET` | `/secret/metadata/:path` | `200 application/json` |
|
||
|
||
### Parameters
|
||
|
||
- `path` `(string: <required>)` – Specifies the path of the secret to read.
|
||
This is specified as part of the URL.
|
||
|
||
### Sample Request
|
||
|
||
```
|
||
$ curl \
|
||
--header "X-Vault-Token: ..." \
|
||
https://127.0.0.1:8200/v1/secret/metadata/my-secret
|
||
```
|
||
|
||
### Sample Response
|
||
|
||
```json
|
||
{
|
||
"data": {
|
||
"created_time": "2018-03-22T02:24:06.945319214Z",
|
||
"current_version": 3,
|
||
"max_versions": 0,
|
||
"oldest_version": 0,
|
||
"updated_time": "2018-03-22T02:36:43.986212308Z",
|
||
"versions": {
|
||
"1": {
|
||
"created_time": "2018-03-22T02:24:06.945319214Z",
|
||
"deletion_time": "",
|
||
"destroyed": false
|
||
},
|
||
"2": {
|
||
"created_time": "2018-03-22T02:36:33.954880664Z",
|
||
"deletion_time": "",
|
||
"destroyed": false
|
||
},
|
||
"3": {
|
||
"created_time": "2018-03-22T02:36:43.986212308Z",
|
||
"deletion_time": "",
|
||
"destroyed": false
|
||
}
|
||
}
|
||
}
|
||
}
|
||
```
|
||
|
||
|
||
## Update Metadata
|
||
|
||
This endpoint creates a new version of a secret at the specified location. If
|
||
the value does not yet exist, the calling token must have an ACL policy granting
|
||
the `create` capability. If the value already exists, the calling token must
|
||
have an ACL policy granting the `update` capability.
|
||
|
||
| Method | Path | Produces |
|
||
| :------- | :--------------------------- | :--------------------- |
|
||
| `POST` | `/secret/metadata/:path` | `204 (empty body)` |
|
||
|
||
### Parameters
|
||
|
||
- `max_versions` `(int: 0)` – The number of versions to keep per key. If not
|
||
set, the backend’s configured max version is used. Once a key has more than
|
||
the configured allowed versions the oldest version will be permanently
|
||
deleted.
|
||
|
||
- `cas_required` `(bool: false)` – If true the key will require the cas
|
||
parameter to be set on all write requests. If false, the backend’s
|
||
configuration will be used.
|
||
|
||
### Sample Payload
|
||
|
||
```json
|
||
{
|
||
"max_versions": 5,
|
||
"cas_required": false
|
||
}
|
||
```
|
||
|
||
### Sample Request
|
||
|
||
```
|
||
$ curl \
|
||
--header "X-Vault-Token: ..." \
|
||
--request POST \
|
||
--data @payload.json \
|
||
https://127.0.0.1:8200/v1/secret/metadata/my-secret
|
||
```
|
||
|
||
## Delete Metadata and All Versions
|
||
|
||
This endpoint permanently deletes the key metadata and all version data for the
|
||
specified key. All version history will be removed.
|
||
|
||
| Method | Path | Produces |
|
||
| :------- | :--------------------------- | :--------------------- |
|
||
| `DELETE` | `/secret/metadata/:path` | `204 (empty body)` |
|
||
|
||
### Parameters
|
||
|
||
- `path` `(string: <required>)` – Specifies the path of the secret to delete.
|
||
This is specified as part of the URL.
|
||
|
||
### Sample Request
|
||
|
||
```
|
||
$ curl \
|
||
--header "X-Vault-Token: ..." \
|
||
--request DELETE \
|
||
https://127.0.0.1:8200/v1/secret/metadata/my-secret
|
||
```
|