Delete a Key and Value from a secret
3,881 views
Skip to first unread message
Chris Murphy
Mar 31, 2016, 10:29:34 AM3/31/16
to Vault
Hi Guys,
Looking to delete a key and value from a secret
vault read secret/Test/Test1
Key Value
lease_duration 2592000
Test1 deletethis1
Test2 12345678
Test3 batman12
Test4 654321
Looking to delete Test1. Is their a command for this
Thank you
Jeff Mitchell
Mar 31, 2016, 10:43:39 AM3/31/16
to vault...@googlegroups.com
Hi Chris,
You cannot delete specific entries; you have to re-write the data
without Test1 in it.
If you want to remove entries at arbitrary times, I suggest splitting
those entries up into different paths.
Best,
Jeff
> --
> This mailing list is governed under the HashiCorp Community Guidelines -
> https://www.hashicorp.com/community-guidelines.html. Behavior in violation
> of those guidelines may result in your removal from this mailing list.
>
> GitHub Issues: https://github.com/hashicorp/vault/issues
> IRC: #vault-tool on Freenode
> ---
> You received this message because you are subscribed to the Google Groups
> "Vault" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to vault-tool+...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/vault-tool/f8735426-2b9e-46cb-869b-44620fc48b15%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
You cannot delete specific entries; you have to re-write the data
without Test1 in it.
If you want to remove entries at arbitrary times, I suggest splitting
those entries up into different paths.
Best,
Jeff
> This mailing list is governed under the HashiCorp Community Guidelines -
> https://www.hashicorp.com/community-guidelines.html. Behavior in violation
> of those guidelines may result in your removal from this mailing list.
>
> GitHub Issues: https://github.com/hashicorp/vault/issues
> IRC: #vault-tool on Freenode
> ---
> You received this message because you are subscribed to the Google Groups
> "Vault" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to vault-tool+...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/vault-tool/f8735426-2b9e-46cb-869b-44620fc48b15%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
Chris Murphy
Mar 31, 2016, 11:52:02 AM3/31/16
to Vault
What about delete a folder
/secret/Test/Test1/secret
So delete Test1 from the path ???????
Can I do that?
Jeff Mitchell
Mar 31, 2016, 11:56:45 AM3/31/16
to vault...@googlegroups.com
Hi Chris,
On Thu, Mar 31, 2016 at 11:52 AM, Chris Murphy
<chrismich...@gmail.com> wrote:
>
> What about delete a folder
>
> /secret/Test/Test1/secret
>
> So delete Test1 from the path ???????
You don't delete "folders", only "files". But "folders" are not
accessible in and of themselves. So when you delete
secret/Test/Test1/secret then nothing will be at secret/Test/Test1,
assuming there were no other values living there.
Best,
Jeff
On Thu, Mar 31, 2016 at 11:52 AM, Chris Murphy
<chrismich...@gmail.com> wrote:
>
> What about delete a folder
>
> /secret/Test/Test1/secret
>
> So delete Test1 from the path ???????
accessible in and of themselves. So when you delete
secret/Test/Test1/secret then nothing will be at secret/Test/Test1,
assuming there were no other values living there.
Best,
Jeff
Chris Murphy
Apr 8, 2016, 6:27:49 AM4/8/16
to Vault
I have deleted all secrets in the path
/secret/Test/Test1/
How do I remove this path from vault ????
Did a api call
curl -H "X-Vault-Token: <Token>" -X GET http://10.17.12.111:8100/v1/secret/Test/Test1?list=true
I get back
{
"auth": null,
"data": {},
"lease_duration": 0,
"lease_id": "",
"renewable": false,
"warnings": null
}
/secret/Test/Test1/
How do I remove this path from vault ????
Did a api call
curl -H "X-Vault-Token: <Token>" -X GET http://10.17.12.111:8100/v1/secret/Test/Test1?list=true
I get back
{
"auth": null,
"data": {},
"lease_duration": 0,
"lease_id": "",
"renewable": false,
"warnings": null
}
Jeff Mitchell
Apr 8, 2016, 3:33:11 PM4/8/16
to vault...@googlegroups.com
Hi Chris,
"data" is empty in the response. If there were anything there, you'd
get a "keys" value inside "data".
Best,
Jeff
"data" is empty in the response. If there were anything there, you'd
get a "keys" value inside "data".
Best,
Jeff
> --
> This mailing list is governed under the HashiCorp Community Guidelines -
> https://www.hashicorp.com/community-guidelines.html. Behavior in violation
> of those guidelines may result in your removal from this mailing list.
>
> GitHub Issues: https://github.com/hashicorp/vault/issues
> IRC: #vault-tool on Freenode
> ---
> You received this message because you are subscribed to the Google Groups
> "Vault" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to vault-tool+...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/vault-tool/2a0523ac-8b21-458d-a394-720b588c912c%40googlegroups.com.
> This mailing list is governed under the HashiCorp Community Guidelines -
> https://www.hashicorp.com/community-guidelines.html. Behavior in violation
> of those guidelines may result in your removal from this mailing list.
>
> GitHub Issues: https://github.com/hashicorp/vault/issues
> IRC: #vault-tool on Freenode
> ---
> You received this message because you are subscribed to the Google Groups
> "Vault" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to vault-tool+...@googlegroups.com.
> To view this discussion on the web visit
Chris Murphy
Apr 11, 2016, 6:06:16 AM4/11/16
to Vault
Hi Jeff
Yes I know it is empty. I want to remove /secret/Test/Test1/. I removed all secrets in /secret/Test/Test1/ but the path is this showing. When I do a ?list=true it shows all empty (paths) would like to remove them. But when I do vault delete /secret/Test/Test1/ . It is still available ???
1. All Secrets in this (Path) /secret/Test/Test1/ is Deleted. Great
2. But (Path or Destination) is still available would like to remove ????????
Jeff Mitchell
Apr 11, 2016, 10:52:26 AM4/11/16
to vault...@googlegroups.com
Hi Chris,
I'm afraid I still don't understand what the issue is. Can you provide
a repeatable set of commands against a fresh 'vault server -dev'
showing how to get to this state?
Thanks,
Jeff
I'm afraid I still don't understand what the issue is. Can you provide
a repeatable set of commands against a fresh 'vault server -dev'
showing how to get to this state?
Thanks,
Jeff
> --
> This mailing list is governed under the HashiCorp Community Guidelines -
> https://www.hashicorp.com/community-guidelines.html. Behavior in violation
> of those guidelines may result in your removal from this mailing list.
>
> GitHub Issues: https://github.com/hashicorp/vault/issues
> IRC: #vault-tool on Freenode
> ---
> You received this message because you are subscribed to the Google Groups
> "Vault" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to vault-tool+...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/vault-tool/db6f32c1-c891-4ddb-b051-c30071f65fb9%40googlegroups.com.
> This mailing list is governed under the HashiCorp Community Guidelines -
> https://www.hashicorp.com/community-guidelines.html. Behavior in violation
> of those guidelines may result in your removal from this mailing list.
>
> GitHub Issues: https://github.com/hashicorp/vault/issues
> IRC: #vault-tool on Freenode
> ---
> You received this message because you are subscribed to the Google Groups
> "Vault" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to vault-tool+...@googlegroups.com.
> To view this discussion on the web visit
Chris Murphy
Apr 11, 2016, 11:32:15 AM4/11/16
to Vault
Ya no problem
1. vault write secret/path/to/machine1 value=Hello
2. vault delete secret/path/To/machine1
Now Secret is deleted machine1
Go to HTTP API
3. curl -H "X-Vault-Token: <Token>" -X GET http://10.16.12.111:8200/v1/secret/path/?list=true
I then get back in the request
{
"auth": null,
"data": {
"keys": [
"To/"
]
},
"lease_duration": 0,
"lease_id": "",
"renewable": false,
"warnings": null
}
4. vault delete secret/path/To (Remove To and Remove path)
So if I delete the secrets all the paths are still available
Example
curl -H "X-Vault-Token: <Token>" -X GET http://10.16.12.111:8200/v1/secret/?list=true
{
"auth": null,
"data": {
"keys": [
"path0/",
"path/",
"path1/",
"path2/",
"path3/",
"path4/",
"path5/"
]
So if I delete the secrets all the paths are still available
Example
curl -H "X-Vault-Token: <Token>" -X GET http://10.16.12.111:8200/v1/secret/?list=true
{
"auth": null,
"data": {
"keys": [
"path0/",
"path/",
"path1/",
"path2/",
"path3/",
"path4/",
"path5/"
]
},
"lease_duration": 0,
"lease_id": "",
"renewable": false,
"warnings": null
}
Paths are available after I deleted the secrets ......
Jeff Mitchell
Apr 11, 2016, 11:55:07 AM4/11/16
to vault...@googlegroups.com
Hi Chris,
What storage backend are you using? This may be something specific to
your backend storage:
$ vault write secret/foo/bar value=hi
Success! Data written to: secret/foo/bar
$ vault delete secret/foo/bar
Success! Deleted 'secret/foo/bar'
$ curl -H "X-Vault-Token: $(cat ~/.vault-token)" -X GET
http://127.0.0.1:8200/v1/secret/?list=true
{"lease_id":"","renewable":false,"lease_duration":0,"data":{},"warnings":null,"auth":null}
$ curl -H "X-Vault-Token: $(cat ~/.vault-token)" -X GET
http://127.0.0.1:8200/v1/secret/foo?list=true
{"lease_id":"","renewable":false,"lease_duration":0,"data":{},"warnings":null,"auth":null}
$ curl -H "X-Vault-Token: $(cat ~/.vault-token)" -X GET
http://127.0.0.1:8200/v1/secret/?list=true
{"lease_id":"","renewable":false,"lease_duration":0,"data":{},"warnings":null,"auth":null}
--Jeff
What storage backend are you using? This may be something specific to
your backend storage:
$ vault write secret/foo/bar value=hi
Success! Data written to: secret/foo/bar
$ vault delete secret/foo/bar
Success! Deleted 'secret/foo/bar'
$ curl -H "X-Vault-Token: $(cat ~/.vault-token)" -X GET
http://127.0.0.1:8200/v1/secret/?list=true
{"lease_id":"","renewable":false,"lease_duration":0,"data":{},"warnings":null,"auth":null}
$ curl -H "X-Vault-Token: $(cat ~/.vault-token)" -X GET
http://127.0.0.1:8200/v1/secret/foo?list=true
{"lease_id":"","renewable":false,"lease_duration":0,"data":{},"warnings":null,"auth":null}
$ curl -H "X-Vault-Token: $(cat ~/.vault-token)" -X GET
http://127.0.0.1:8200/v1/secret/?list=true
{"lease_id":"","renewable":false,"lease_duration":0,"data":{},"warnings":null,"auth":null}
--Jeff
> --
> This mailing list is governed under the HashiCorp Community Guidelines -
> https://www.hashicorp.com/community-guidelines.html. Behavior in violation
> of those guidelines may result in your removal from this mailing list.
>
> GitHub Issues: https://github.com/hashicorp/vault/issues
> IRC: #vault-tool on Freenode
> ---
> You received this message because you are subscribed to the Google Groups
> "Vault" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to vault-tool+...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/vault-tool/4f40001b-cc15-4faf-9f67-bd867ef3f38b%40googlegroups.com.
> This mailing list is governed under the HashiCorp Community Guidelines -
> https://www.hashicorp.com/community-guidelines.html. Behavior in violation
> of those guidelines may result in your removal from this mailing list.
>
> GitHub Issues: https://github.com/hashicorp/vault/issues
> IRC: #vault-tool on Freenode
> ---
> You received this message because you are subscribed to the Google Groups
> "Vault" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to vault-tool+...@googlegroups.com.
> To view this discussion on the web visit
Chris Murphy
Apr 11, 2016, 12:02:16 PM4/11/16
to Vault
Just working with the file storage for now. Will be replaced with Consul or AWS in the future ...
Jeff Mitchell
Apr 11, 2016, 12:07:29 PM4/11/16
to vault...@googlegroups.com
Hi Chris,
I think this is an artifact of the file backend, to avoid it
constantly checking on every delete operation whether a directory is
empty and removing the directory if so (plus locking or else
potentially hitting a race condition while doing this). I just tested
on Consul and do not see this behavior of paths sticking around.
Best,
Jeff
I think this is an artifact of the file backend, to avoid it
constantly checking on every delete operation whether a directory is
empty and removing the directory if so (plus locking or else
potentially hitting a race condition while doing this). I just tested
on Consul and do not see this behavior of paths sticking around.
Best,
Jeff
> --
> This mailing list is governed under the HashiCorp Community Guidelines -
> https://www.hashicorp.com/community-guidelines.html. Behavior in violation
> of those guidelines may result in your removal from this mailing list.
>
> GitHub Issues: https://github.com/hashicorp/vault/issues
> IRC: #vault-tool on Freenode
> ---
> You received this message because you are subscribed to the Google Groups
> "Vault" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to vault-tool+...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/vault-tool/7f6c3854-61d7-440a-9b1e-fef33c3351ea%40googlegroups.com.
> This mailing list is governed under the HashiCorp Community Guidelines -
> https://www.hashicorp.com/community-guidelines.html. Behavior in violation
> of those guidelines may result in your removal from this mailing list.
>
> GitHub Issues: https://github.com/hashicorp/vault/issues
> IRC: #vault-tool on Freenode
> ---
> You received this message because you are subscribed to the Google Groups
> "Vault" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to vault-tool+...@googlegroups.com.
> To view this discussion on the web visit
Reply all
Reply to author
Forward
0 new messages