Vaultx.Secrets.KV.V2 (Vaultx v0.7.0)

View Source

HashiCorp Vault KV v2 secrets engine implementation.

This module provides a comprehensive implementation of the KV v2 secrets engine, offering advanced key-value storage with versioning, metadata management, and sophisticated secret lifecycle capabilities. KV v2 is the modern, feature-rich version of Vault's key-value storage.

Advanced Features

  • Versioned Storage: Automatic versioning of all secret changes
  • Metadata Management: Rich metadata tracking for secrets and versions
  • Check-and-Set (CAS): Atomic updates with version validation
  • Soft Delete: Reversible deletion with recovery capabilities
  • Permanent Destruction: Secure, irreversible version removal
  • Configurable Policies: Version limits, TTL, and retention policies
  • Audit Trail: Complete history of secret modifications

API Compliance

Fully implements HashiCorp Vault KV v2 API:

HTTP Endpoints

KV v2 uses structured paths with /data/ and /metadata/ prefixes:

  • GET /{mount}/data/{path} - Read secret data
  • POST /{mount}/data/{path} - Write secret data
  • DELETE /{mount}/data/{path} - Soft delete latest version
  • GET /{mount}/metadata/{path} - Read secret metadata
  • POST /{mount}/metadata/{path} - Write secret metadata
  • DELETE /{mount}/metadata/{path} - Delete all versions and metadata
  • POST /{mount}/undelete/{path} - Undelete specific versions
  • POST /{mount}/destroy/{path} - Permanently destroy versions
  • LIST /{mount}/metadata/{path} - List secrets

Usage Examples

# Read latest version
{:ok, secret} = Vaultx.Secrets.KV.V2.read("myapp/config", mount_path: "secret")

# Read specific version
{:ok, secret} = Vaultx.Secrets.KV.V2.read("myapp/config", version: 2, mount_path: "secret")

# Write with check-and-set
{:ok, result} = Vaultx.Secrets.KV.V2.write("myapp/config", %{"key" => "value"}, cas: 1, mount_path: "secret")

# Soft delete (reversible)
:ok = Vaultx.Secrets.KV.V2.delete("myapp/config", versions: [2], mount_path: "secret")

# Undelete versions
:ok = Vaultx.Secrets.KV.V2.undelete("myapp/config", versions: [2], mount_path: "secret")

# Permanently destroy
:ok = Vaultx.Secrets.KV.V2.destroy("myapp/config", versions: [1], mount_path: "secret")

Configuration

# Enable KV v2 engine (default for new installations)
vault secrets enable -version=2 -path=secret kv

# Configure engine settings
vault write secret/config max_versions=10 cas_required=false delete_version_after="0s"

Version Management

  • Each write operation creates a new version (1, 2, 3, ...)
  • Versions can be soft-deleted (marked as deleted but recoverable)
  • Versions can be permanently destroyed (irreversible)
  • Maximum versions can be configured to auto-delete old versions
  • Auto-deletion timers can be set for automatic cleanup

Metadata Structure

KV v2 maintains rich metadata including:

  • Version information (created_time, deletion_time, destroyed)
  • Custom metadata fields
  • Version history and status
  • Configuration settings

Summary

Functions

configure(config, opts \\ [])
delete(path, opts \\ [])
list(path, opts \\ [])
read(path, opts \\ [])
write(path, data, opts \\ [])

Functions

configure(config, opts \\ [])

delete(path, opts \\ [])

list(path, opts \\ [])

read(path, opts \\ [])

write(path, data, opts \\ [])