'vault kv destroy' not destroying?

[real.jef...@gmail.com]

Hey folks,

I'm sure I've misunderstood or botched something but I'm having a tough time figuring out what that is. My goal is to cleanup my vault hierarchy a bit by deleting some entries that are no longer needed.

https://www.vaultproject.io/api/secret/kv/kv-v2.html

"Permanently removes the specified version data for the provided key and version numbers from the key-value store."

To me this means if I 'vault kv destroy -versions=-1' on a vault in path, then that version of that secret shouldn't be accessible anymore, but I'm seeing different behavior even when using the root token:

$ vault kv destroy -versions=1 secrets/mypath/mytest
Success! Data written to: secrets/destroy/mypath/mytest
[jwelling@cayvr-jeff:~] 2019-02-04 12:16:37
$ vault kv get secrets/mypath/mytest
====== Metadata ======
Key              Value
---              -----
created_time     2019-02-04T20:14:03.446512242Z
deletion_time    n/a
destroyed        false
version          1

==== Data ====
Key      Value
---      -----
value    my secret
[jwelling@cayvr-jeff:~] 2019-02-04 12:16:41

Can anyone help me understand what I'm doing wrong?

Vault client and server versions: Vault v1.0.2

KV store version 2

I've checked the logs and there's no additional detail about anything going wrong.

Is it possible to delete a secret from vault entirely? Eg so that secret/mypath/mytest doesn't exist anymore at all?

Thanks in advance for your time!

Jeff.

[Megakoresh]

To fully remove a secret from kv2 backend you have to remove its metadata, I think documentation states that somewhere. So run

vault kv metadata delete your/secret/will/be/gone

[Jeff Mitchell]

HI Jeff,

I can't reproduce:

$ vault kv put secret/mypath/mytest foo=bar

Key              Value

---              -----

created_time     2019-02-04T20:47:04.429586854Z

deletion_time    n/a

destroyed        false

version          1

$ vault kv destroy -versions=1 secret/mypath/mytestSuccess! Data written to: secret/destroy/mypath/mytest

$ vault kv get secret/mypath/mytest====== Metadata ======

Key              Value

---              -----

created_time     2019-02-04T20:47:04.429586854Z

deletion_time    n/a

destroyed        true

version          1

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/0d108275-e78c-4ac8-bd5d-88c64d4347fc%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Jeff W]

Ah I'll try that, thank you kindly!

[Jeff W]

I see what you mean you can't reproduce it, plot thickens! That's quite odd indeed because I've reproduced this in production as well as in a 'vault server -dev' setup.

Are you using version 1.0.2 of vault as well?

[Jeff W]

Welp, copy/pasting your example indeed works in my test cluster, so I'll take that as a sign that it's a typo or mistake with my commands, thanks kindly for confirming!

[Jeff Mitchell]

Hi Jeff,

I tested on both 1.0.2 and current master, same result.

Best,

Jeff

On Mon, Feb 4, 2019 at 4:14 PM Jeff W <real.jef...@gmail.com> wrote:

I see what you mean you can't reproduce it, plot thickens! That's quite odd indeed because I've reproduced this in production as well as in a 'vault server -dev' setup.

Are you using version 1.0.2 of vault as well?

--

This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/CAFp0Aog0cnFiuLgVcRCzMZrLg%2BuyQd287538GFcrUPGXEm_KAw%40mail.gmail.com.

[Jeff Mitchell]

Sure, no problem!

Best,

Jeff

--

This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/CAFp0Aoh3DccVHqX7vWbSyrZ4RkXgBRNzXC%2BmUJhzNGktGnuYrg%40mail.gmail.com.