Skip to main content

Manage KV Secret Engines

Enable KV Secrets Engine

Currently, when you start the Vault server in dev mode, it automatically enables v2 of the KV secrets engine at secret/.

This tutorial focuses on key/value v1 secrets engine. The Versioned Key/Value Secret Engin tutorial highlights features that are specific to the key/value v2 secrets engine.

1.Open a web browser and launch the Vault UI (e.g. http://127.0.0.1:8200/ui) and then login.

If the key/value v2 is enabled at secret, the UI indicates with v2 tag.

2. Select Enable new engine and click the KV radio button.

3. Click Next.

4. Enter kv-v1 in the Path field, and select 1 from the Version drop-down list.

5. Click Enable Engine.

Store the Google API key

Everything after the kv-v1 path is a key-value pair to write to the secrets engine. You can specify multiple values. If the value has a space, you need to surround it with quotes. Having keys with spaces is permitted, but strongly discouraged because it can lead to unexpected client-side behavior.

Let's assume that the path convention in your organization is kv-v1/<OWNER>/apikey/<APP> for API keys. To store the Google API key used by the engineering team, the path would be kv-v1/eng/apikey/Google. If you have an API key for New Relic owned by the DevOps team, the path would look like kv-v1/devops/apikey/New_Relic

1.In the Web UI, select kv-v1 and then Create secret.

2. Enter eng/apikey/Google in the Path for this secret field, key in the key field, and some value in the key value field.

3. Click Save.

4. Clicking on the sensitive information toggle let you show or hide the secret value.

Retrieve the secrets

The command to read a secret is:

vault kv get kv-v1/<PATH>

1.Read the secret at the path kv-v1/eng/apikey/Google using the apps token.

vault kv get kv-v1/eng/apikey/Google

2. Read only the key field at the path kv-v1/eng/apikey/Google.

vault kv get -field=key kv-v1/eng/apikey/Google