How to use the HashiCorp's Vault API in order to get all all the secret values from a directory with a single API call

Question

I am using Postman to call the Vault API.

Right now I am doing an API call to this endpoint

https://vault.something.com/v1/kv/data/ENV/DEV/secret1

I am passing in the body a roleId and secretId and in the headers the X-Vault-Namespace and X-Vault-Token and I am getting the value of the secret at this path.

I am also able to get all the keys by calling

https://vault.something.com/v1/kv/metadata/ENV/DEV?list=true

I need to get the values of all the secrets from ENV/DEV/ using a single API call. Can you give me an idea? I got stuck in the existent documentation.

Answer 1

If you can relax the requirement of "a single API call", then it can be simply achieved by following these two steps:

1. List all the keys in ENV/DEV/ using https://vault.something.com/v1/kv/metadata/ENV/DEV?list=true and put them into a list
2. Loop through the above list and for each item, call https://vault.something.com/v1/kv/data/ENV/DEV/ to extract all secrets and store in a dict secrets like secrets[] = {'key1': 'value1', 'key2': 'value2'}

Answer 2

This is not possible, Hashicorp has had an open issue on this subject for over four years and shows no sign of picking it up.

Many people have already built code to handle the recursion, and simply hammer the Vault API until a directory tree is fully explored. Check the GitHub issue linked above for helpful people that have posted their solutions.