Reputation: 3065
Get specific key-value from Hashicorp secret engine version 2
I'm using Hashicorp engine version 2 and namespace vault-poc
Displays all key values for engine kv and path tool-common/dev as below:
C:\Users\meuser>curl -H "X-Vault-Token: s.lcF5f0npjzeioNnbJvPVjihN" -H "X-Vault-Namespace: vault-poc/" -X GET https://so-vlt.mybank.com/v1/kv/data/tool-common/dev
{"request_id":"2fa8ea3f-d381-59c4-4306-78fc9c7d1578","lease_id":"","renewable":false,"lease_duration":0,"data":{"data":{"svc-DeployDev":"5!KaA1UvST8d","svc-DeployProd":"NjPC14rDJvc"},"metadata":{"created_time":"2023-06-06T17:45:20.449956832Z","deletion_time":"","destroyed":false,"version":2}},"wrap_info":null,"warnings":null,"auth":null}
Unable to get a single specific key value i.e svc-DeployProd:
C:\Users\meuser>curl -H "X-Vault-Token: s.lcF5f0npjzeioNnbJvPVjihN" -H "X-Vault-Namespace: vault-poc/" -X GET https://so-vlt.mybank.com/v1/kv/data/tool-common/dev/data/svc-DeployProd
{"errors":[]}
I'm on Windows. How can I get hashicorp to return a specific key-value i.e svc-DeployProd?
Also, the desired output should be like the below without the junk data [probably json]:
"svc-DeployProd":"NjPC14rDJvc"
Upvotes: 0
Views: 2618
Answers (1)
Reputation: 10181
To avoid the parsing problem @Matt Schuchard mentionned in the comments, you must structure your data when you store it in Vault.
In other words, Vault will not interpret the data you stored under tool-common/dev and see if it can extract svc-DeployProd or data/svc-DeployProd from the JSON it happens to store there. It will also make your life much easier when you will write access policies if the path to your secret has some meaning.
So to solve your problem, you must write your secrets like this (assuming VAULT_NAMESPACE, VAULT_ADDR and VAULT_TOKEN are set in the environment):
vault kv put kv/tool-common/dev/svc-DeployDev 'username=somehting' 'password=5!KaA1UvST8d'
vault kv put kv/tool-common/dev/svc-DeployProd 'username=something' 'password=NjPC14rDJvc'
Notice that you can still store rich data that way. Here I stored a username along with the password.
To get the data back just ask for it:
vault kv get --field password kv/tool-common/dev/svc-DeployDev
Will return 5!KaA1UvST8d parsed and ready to go.
With that in hand, ask Vault to provide you with the cURL command by adding --output-curl-string:
$ vault kv get -output-curl-string --field password kv/tool-common/dev/svc-DeployDev
But you are on your own to parse. The whole thing should look like this in the end:
$ curl --silent --header "X-Vault-Token: $(vault print token)" http://127.0.0.1:8200/v1/kv/data/tool-common/dev/svc-DeployDev | jq -r .data.data.password
5!KaA1UvST8d
Upvotes: 0
Related Questions
- How do I get a YouTube video thumbnail from the YouTube API?
- HashiCorp Transit Engine, what permission are required to read the public key?
- Hashicorp Vault password access using Spring boot vault
- unable to get specific version of key-value from Hashicorp Vault
- HashiCorp Vault No handler for route error despite secrets engine being enabled through the UI
- Java - How to create new Entry (key, value)
- How to use AppRole authentication for Vault using Spring Boot?
- Hashicorp Vaultsharp permission denied error
- Spring Vault VaultTemplate.read() returns null