Hashicorp vault key rotation using dates

Question

I am developing a backend service which exposes APIs. I have decided to use vault to store the tokens to access these APIs.

Right now I am storing and rotating the keys manually in vault. This is my sample code to read secrets from vault.

func (v *vImpl) readSecret (name string)  {
    secret, err := v.client.Logical().Read(path)
    if err != nil {
        return nil, err
    }
    /* process secrets*/

}

While reading the secret from vault, I would like to check if the key has been stored in vault for the past 6 months. If so, I would like to rotate it.

Is there a way to check when the key was added in vault?

Answer 1

At its core, Vault's key/value engine doesn't natively store metadata like creation timestamps for secrets. That said, there are idiomatic ways within the Vault ecosystem to achieve your goals:

Using Versioned Key/Value Secrets Engine: If you're using the version 2 of the K/V secrets engine (kv-v2), every time you create or update a secret, a new version of that secret is created. The metadata endpoint provides information about all versions of the secret, including creation timestamps.

To get the creation time of a particular version, you'd use the metadata endpoint:

  secret, err := v.client.Logical().Read(fmt.Sprintf("%s/metadata/%s", mountPath, name))
if err != nil {
    return nil, err
}
versions := secret.Data["versions"].(map[string]interface{})
// Assuming you want the first version
versionData := versions["1"].(map[string]interface{})
createdAtStr := versionData["created_time"].(string)
createdAt, _ := time.Parse(time.RFC3339, createdAtStr)

if time.Since(createdAt) > time.Duration(6)*time.Month {
    // Rotate the key
}