Vault: Append key-value pairs to a vault file without removing previous pairs

Created on 22 Sep 2015  路  7Comments  路  Source: hashicorp/vault 
$ vault write secret/test hello=world

This puts the key-value pair hello=world.

If we then do

$ vault write secret/test foo=bar

we will lose the hello=world key-value pair.
It would be good if it just added foo=bar and kept hello=world.

So, after those two commands, the final file should be

$ vault read secret/test

Key             Value
lease_id        secret/test/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
lease_duration  xxxxxxx
lease_renewable xxxxx
hello           world
foo             bar
picture julianborrey
👍7

Most helpful comment

@jefferai Atleast it would be nice to prompt a warning that "You are going to Overwrite the existing key/value pair" to avoid accidents :).

picture pradeepbhadani on 23 Nov 2017
👍52 👎2

All 7 comments

This won't be implemented -- we want Vault to be deterministic, and it follows CRUD semantics. Data lives at a location; if you want to update the data at the location you provide the new data (which includes anything you want to keep).

There are various workarounds, one being to simply read the data before writing it, the other to write the new pieces of data somewhere else and update them there.

jefferai picture jefferai on 22 Sep 2015
👎58 👍1

@jefferai Atleast it would be nice to prompt a warning that "You are going to Overwrite the existing key/value pair" to avoid accidents :).

pradeepbhadani picture pradeepbhadani on 23 Nov 2017
👍52 👎2

Seems like a legit feature. It could be implemented with an -append argument like so vault write -append foo=bar

What am I to do if a secret has 10+ key/value pairs? Am I supposed to script out a wrapper around the vault command to preserve old secrets? Seems like a hassle that should be implemented in the main product imo.

CGreenburg picture CGreenburg on 8 Jun 2018
👍6

If you're using KV v2, simply use vault kv patch.

jefferai picture jefferai on 8 Jun 2018
👍225

Oh, I wasn't aware the the vault kv subset of commands had a patch command. Thanks.

CGreenburg picture CGreenburg on 8 Jun 2018

In the meantime, one workaround which can easily be turned into a script:

vault read -format json -field data secret/foo/bar | \
  jq '.baz = "qux"' | \
  vault write secret/foo/bar -
djanowski picture djanowski on 21 Sep 2018
👍13

vault kv does not exist for me in 

$ vault --version
Vault v0.8.3 ('6b29fb2b7f70ed538ee2b3c057335d706b6d4e36')

Is there no other way?

sgleske-ias picture sgleske-ias on 1 Feb 2019
😕3
Was this page helpful?
0 / 5 - 0 ratings

Related issues

0x9090 picture 0x9090  路  3Comments
dwdraju picture dwdraju  路  3Comments
weisinc picture weisinc  路  3Comments
trodemaster picture trodemaster  路  3Comments
lexsys27 picture lexsys27  路  3Comments