Vault: delete all secrets under a path

Created on 24 Dec 2015  路  5Comments  路  Source: hashicorp/vault

It would be very handy if vault allowed for the deletion of a whole path of secrets, rather than have to delete them one by one.

e.g. 

vault delete -recurse=true secret/teams/teamA OR
vault delete secret/teams/teamA/*

would delete everything under this path which may include for example secret/teams/teamA/password1, secret/teams/teamA/password2 but not secret/teams/teamB/password1 etc.

You may say that you can simply mount different teams under different areas and then use unmounting as one option, which is true, however, if for whatever reasons, you choose to partition vault in another way (maybe prod/dev/staging etc) having the ability to bulk delete secrets in this fashion is very handy (at least in the generic backend) provided you have the privs to do so of course

picture nickithewatt

Most helpful comment

I came here looking for the same thing and ended up just using a bash for loop
for path in $(vault list database/roles); do vault delete database/roles/${path}; done

picture hipyhop on 4 Jan 2018
👍161

All 5 comments

Hi there,

We looked at it a bit ago as part of another feature we were implementing and found some issues, the main being that deletion behavior across physical backends did not always support recursive delete natively and performing a manual delete within Vault by recursively listing and deleting could have deleterious effects on the backends (especially HA backends) if the number of keys was large. This could mean that an operation could unexpectedly cause both a very long delay within a Vault-using application completing, and could put serious load on the backend.

For now we decided to stick to having clients recursively delete if they desire, but each operation then is much less likely to cause an issue, and the delete can be abandoned by the client at any point along the way and retried later if the backend has become too loaded.

What will help and allow this is that list support will come to generic soon (next release or two), so it then becomes a pretty easy walk of the tree and delete commands.

If we find a good way to support recursive delete across physical backends we will certainly be looking at implementing it.

jefferai picture jefferai on 24 Dec 2015
👍2

Thanks Jeff makes sense!

nickithewatt picture nickithewatt on 26 Dec 2015

I wrote a ruby script to do this in our environment, then cleaned it up and put it in a repo in case anyone needs to do this: https://github.com/BuyerQuest/vault-recursive-delete

RulerOf picture RulerOf on 16 Nov 2017
👍5 🎉2 😄2

I came here looking for the same thing and ended up just using a bash for loop
for path in $(vault list database/roles); do vault delete database/roles/${path}; done

hipyhop picture hipyhop on 4 Jan 2018
👍161

I have created a script that will recursively delete a path of kv secret engine versions 2.

It may help https://github.com/Abukamel/vault-recursive-delete

Abukamel picture Abukamel on 5 Nov 2018
👎2
Was this page helpful?
0 / 5 - 0 ratings

Related issues

andris9 picture andris9  路  3Comments
Wonder007 picture Wonder007  路  3Comments
tustvold picture tustvold  路  3Comments
dwdraju picture dwdraju  路  3Comments
0x9090 picture 0x9090  路  3Comments