Vault - How can I get list of secrets by API request

Question

Im new to hashicrop vault server. I need some general information's on the usage.

I created KV engines named test.

I want to list all secrets defined in this scope by api request.

vault kv list test/

What is API equivalent of this CLI ?

Answer 1

Vault CLI can generate the curl command for you:

add in -output-curl-string

if this succeeds vault kv list -address https://vault.url.com secret/

then run vault kv list -address https://vault.url.com -output-curl-string secret/

output

curl -H "X-Vault-Request: true" -H "X-Vault-Token: $(vault print token)" https://vault.url.com/v1/secret/data/?list=true

Note the appended args to get the listing in the URL: ?list=true

Answer 2

If you want to use some API clients like Postman or Thunder Client, the use the following settings:

• Method: GET
• URL: https://vault.ai.cba/v1/kv/metadata/test/?list=true or https://vault.ai.cba/v1/kv/metadata/test/ and set query parameter list to true
• Set header X-Vault-Token to Vault token
• If the engine is KV v2, set header X-Vault-Namespace to

If you use Python requests, then use this:

requests.get(url, request_headers={"X-Vault-Namespace": <vault_namespace>}, params_body={'list': 'true'})

Answer 3

For that particular command, the API request would be

$ curl \
    --header "X-Vault-Token: ..." \
    --request LIST \
    https://127.0.0.1:8200/v1/test

(assuming your server is running on your local machine). Note the --request LIST to perform a LIST request, and the /test at the end of the URL - that's the path where you created your engine (which is secret by default, but you have chosen test). Of course you will need to fill in the ... with an actual token for this request to succeed.

The documentation you are looking for is here: https://www.vaultproject.io/api-docs/secret/kv/kv-v1 (or for v2: https://www.vaultproject.io/api-docs/secret/kv/kv-v2)