Vault Write Append
1,011 views
Skip to first unread message
Steve Wall
Nov 30, 2016, 4:45:11 PM11/30/16
to Vault
Hello,
I'd like to write multiple key/values to the same path. It appears this must be done in one operation. Subsequent "vault write" cause the old key/pairs to be deleted. If all key/value pairs are specified in one write, it allows multiple values. Am I missing something?
$ vault write secret/uat/app1 passphrase=xxxxxx
Success! Data written to: secret/uat/app1
$ vault read secret/uat/app1
Key Value
--- -----
refresh_interval 720h0m0s
passphrase xxxxxx
$ vault write secret/uat/app1 encrypt_keys=xxxxxxxx
Success! Data written to: secret/uat/app1
$ vault read secret/uat/app1
Key Value
--- -----
refresh_interval 720h0m0s
encrypt_keys xxxxxxxx
$ vault write secret/uat/app1 encrypt_keys=xxxxxxxx passphrase=xxxxxx
Success! Data written to: secret/uat/app1
$ vault read secret/uat/app1
Key Value
--- -----
refresh_interval 720h0m0s
encrypt_keys xxxxxxxx
passphrase xxxxxx
I'd like to write multiple key/values to the same path. It appears this must be done in one operation. Subsequent "vault write" cause the old key/pairs to be deleted. If all key/value pairs are specified in one write, it allows multiple values. Am I missing something?
$ vault write secret/uat/app1 passphrase=xxxxxx
Success! Data written to: secret/uat/app1
$ vault read secret/uat/app1
Key Value
--- -----
refresh_interval 720h0m0s
passphrase xxxxxx
$ vault write secret/uat/app1 encrypt_keys=xxxxxxxx
Success! Data written to: secret/uat/app1
$ vault read secret/uat/app1
Key Value
--- -----
refresh_interval 720h0m0s
encrypt_keys xxxxxxxx
$ vault write secret/uat/app1 encrypt_keys=xxxxxxxx passphrase=xxxxxx
Success! Data written to: secret/uat/app1
$ vault read secret/uat/app1
Key Value
--- -----
refresh_interval 720h0m0s
encrypt_keys xxxxxxxx
passphrase xxxxxx
Message has been deleted
Rich Fromm
Dec 1, 2016, 2:23:18 PM12/1/16
to Vault
On Wednesday, November 30, 2016 at 1:45:11 PM UTC-8, Steve Wall wrote:
I'd like to write multiple key/values to the same path. It appears this must be done in one operation. Subsequent "vault write" cause the old key/pairs to be deleted. If all key/value pairs are specified in one write, it allows multiple values. Am I missing something?
This also surprised me at first, but yes, this is the way it works. As they say, it's not a bug, it's a feature: :)
https://github.com/hashicorp/vault/issues/182
You can treat all of the key/value pairs as one blob, edit that as needed, and write that as JSON, for example.
I've decided it's easier to just introduce another level into your path, and write everything with the key "value". So in your case:
Not only do I feel that modifying the read/modify/write cycle is an unnecessary complication for the client, but I don't like the idea that if you forget to do this and just blindly write to secret/uat/app1, you can accidentally overwrite data.
Obviously people are misunderstanding this, so perhaps there should be an issue open to make this clearer in the docs.
https://github.com/hashicorp/vault/issues/182
You can treat all of the key/value pairs as one blob, edit that as needed, and write that as JSON, for example.
I've decided it's easier to just introduce another level into your path, and write everything with the key "value". So in your case:
vault write secret/uat/app1/passphrase value=xxxxx
vault write secret/uat/app1/encrypt_keys value=xxxxxxx
Not only do I feel that modifying the read/modify/write cycle is an unnecessary complication for the client, but I don't like the idea that if you forget to do this and just blindly write to secret/uat/app1, you can accidentally overwrite data.
Obviously people are misunderstanding this, so perhaps there should be an issue open to make this clearer in the docs.
Steve Wall
Dec 1, 2016, 3:36:39 PM12/1/16
to Vault
Thanks for the response Rich! Your solution was actually something we had discussed. Definitely a reasonable solution. For now though, I wrote a couple of scripts that seem to be working fine.
vaultadd.sh
#!/bin/bash
path=$1
key=$2
if [[ -s $3 ]];
then
value=`cat $3`
else
value=$3
fi
vault read -format=json $path | jq '.data' | \
jq --arg k ${key} --arg v "${value}" '.[$k] = $v' | \
vault write $path -
=====
vaultdel.sh
#!/bin/bash
path=$1
key=$2
vault read -format=json $path | jq '.data' | jq --arg k ${key} 'del(.[$k])' | \
vault write $path -
vaultadd.sh
#!/bin/bash
path=$1
key=$2
if [[ -s $3 ]];
then
value=`cat $3`
else
value=$3
fi
vault read -format=json $path | jq '.data' | \
jq --arg k ${key} --arg v "${value}" '.[$k] = $v' | \
vault write $path -
=====
vaultdel.sh
#!/bin/bash
path=$1
key=$2
vault read -format=json $path | jq '.data' | jq --arg k ${key} 'del(.[$k])' | \
vault write $path -
Reply all
Reply to author
Forward
0 new messages