Vault
Patch versioned key/value data
Use the patch process to update specific values or add new key/value pairs to
an existing data path in the kv
v2 plugin.
Assumptions
- You have set up a
kv
v2 plugin. - Your authentication token has appropriate permissions for the
kv
v2 plugin:patch
permission to make direct updates withPATCH
actions.create
+update
permission to make indirect updates by combiningGET
andPOST
actions.
Use the vault kv patch
command and set the
-cas
flag to the expected data version to perform a check-and-set operation
before applying the patch:
$ vault kv patch \
-cas <target_version> \
-max-versions <max_versions> \
-mount <mount_path> \
<secret_path> \
<key_name>=<key_value>
For example:
$ vault kv patch -cas 2 -mount shared dev/square-api prod=5678
======= Secret Path =======
shared/data/dev/square-api
======= Metadata =======
Key Value
--- -----
created_time 2024-11-13T21:52:10.326204209Z
custom_metadata <nil>
deletion_time n/a
destroyed false
version 2
If the -cas
version is older than the current version of data at the target
path, the patch fails:
$ vault kv patch -cas 1 -mount shared dev/square-api prod=5678
Error writing data to shared/data/dev/square-api: Error making API request.
URL: PATCH http://192.168.0.1:8200/v1/shared/data/dev/square-api
Code: 400. Errors:
* check-and-set parameter did not match the current version
To force a patch, you can exclude the -cas
flag or use the
read+write
patch method with the -method
flag. For example:
$ vault kv patch -method rw -mount shared dev/square-api prod=5678
======= Secret Path =======
shared/data/dev/square-api
======= Metadata =======
Key Value
--- -----
created_time 2024-11-13T21:58:32.128442898Z
custom_metadata <nil>
deletion_time n/a
destroyed false
version 3
Instead of using an HTTP PATCH
action, the read+write
method uses a sequence
of GET
and POST
operations to fetch the most recent version of data stored
at the targeted path, perform an in-memory update to the targeted keys, then
push the update to the plugin.