luxolus/open-vault
2
0
Fork 0
Code Issues 1 Pull requests Releases Activity
open-vault/website/source/docs/secrets/cubbyhole/index.html.md
Seth Vargo 50f720bc06 Remove tabs from terminal output 
This also standardizes on the indentation we use for multi-line commands as
well as prefixes all commands with a $ to indicate a shell.
2015-10-12 12:10:22 -04:00

2.7 KiB
Raw Blame History

layout page_title sidebar_current description
docs Secret Backend: Cubbyhole docs-secrets-cubbyhole The cubbyhole secret backend can store arbitrary secrets scoped to a single token.

Cubbyhole Secret Backend

Name: cubbyhole

The cubbyhole secret backend is used to store arbitrary secrets within the configured physical storage for Vault. It is mounted at the cubbyhole/ prefix by default and cannot be mounted elsewhere or removed.

This backend differs from the generic backend in that the generic backend's values are accessible to any token with read privileges on that path. In this backend, paths are scoped per token; no token can read secrets placed in another token's cubbyhole. When the token expires, its cubbyhole is destroyed.

Also unlike the generic backend, because the cubbyhole's lifetime is linked to an authentication token, there is no concept of a lease or lease TTL for values contained in the token's cubbyhole.

Writing to a key in the cubbyhole/ backend will replace the old value, the sub-fields are not merged together.

Quick Start

The cubbyhole backend allows for writing keys with arbitrary values.

As an example, we can write a new key "foo" to the cubbyhole backend, which is mounted at cubbyhole/:

$ vault write cubbyhole/foo \
    zip=zap
Success! Data written to: cubbyhole/foo

This writes the key with the "zip" field set to "zap". We can test this by doing a read:

$ vault read cubbyhole/foo
Key           	Value
zip           	zap

As expected, the value previously set is returned to us.

API

/cubbyhole

GET

Description
Retrieves the secret at the specified location.
Method
GET
URL
`/cubbyhole/`
Parameters
None
Returns
```javascript
{
  "auth": null,
  "data": {
    "foo": "bar"
  },
  "lease_duration": 0,
  "lease_id": "",
  "renewable": false
}
```

POST/PUT

Description
Stores a secret at the specified location.
Method
POST/PUT
URL
`/cubbyhole/`
Parameters
  • (key) optional A key, paired with an associated value, to be held at the given location. Multiple key/value pairs can be specified, and all will be returned on a read operation.
Returns
A `204` response code.