Vault Nested Namespace Limits

Question

I"m new to vault and I'm seeking some information on limits.

If I have a Vault namespace foo

vault namespace list
Keys
----
foo/

under which I would like to create a bunch of additional namespaces, one per project. foo/1, foo/2, foo/3 and so on.

Is there a limit to the number of nested namespaces that can be created in Vault under a parent namespace?

The documentation talks about a 220 nesting depth for namespaces, if integrated storage is being used, but I'm not quite sure what this nesting depth means.

Answer 1

The 220 nesting depth for namespaces refers to 220 levels of nesting within a namespace i.e. foo/1/2/3/.../218/219/220. This is also per 1MiB of storage in integrated storage (Raft) because each level requires 40 to 6400 bytes, so the actual theoretical depth is likely much higher. Note however that each level requires at least two secret engine mounts (for sys and identity), one local secret engine (cubbyhole) and one auth engine mount (token), and so the effective limit is generally much smaller.

However, you are describing one nesting depth (foo/n) for namespaces with n number of namespaces (>= 4 since you give the foo/3 example). In that situation, you would be using 1/220 nesting depth with 4/7000 maximum number of namespaces (foo, foo/1, foo/2, and foo/3). You would need to perform some additional additive math involving the size of a namespace, the number of namespaces, and the number of secrets engines per depth to determine the actual percentage consumption.

All that being said: your hypothetical example here is far under the limit for 1MiB of integrated storage, and as such I would be very surprised if you reached the maximum allocated storage space for Vault due to namespaces given the current normal amount of available disk space.