Managing Paths and Secrets
About Managing Paths and Secrets
You can add, edit or delete paths and secrets in your Vault service instance. A path specifies the storage location of your secret. Vault service storage mechanism is similar to virtual file system. When you create an instance of Vault service, the default storage location is defined by a specific path that is equivalent to the home directory in a file system.
You can then add sub paths to the default path to define additional storage locations or nodes. The sub-paths are equivalent to the hierarchy of folders and sub-folders in a file system. The secrets are stored under a path as key value pairs.
You can either use REST APIs to manage the paths or use the Vault dashboard UI. For more information on Vault dashboard, see vault-service-using-dashboard.html#task_aa8e373e-b952-4c12-a9e8-b1114219b0a4.
To construct the URL for Vault service API, you can get the vault_url
from your VCAP_SERVICES environment variable. The vault_url
contains the root path (as a set of GUIDs) to your vault instance.
The following is an example of the vault_url
containing the root path:
https://predix-vault.aws-usw02-pr.ice.predix.io/v1/secret/81f37567-f14c-4289-817b-57b15ee24d2e/078221f7-da65-491c-9185-4d3f47442e9f/6cb25da8-7206-4dd2-944e-9717c04a0a7e
You can use Vault service API to perform the following tasks related to managing paths and secrets:
- vault-service-managing-paths-secrets.html#reference_f8139edb-f351-458c-b761-78bca57595fb__storing_a_secret
- vault-service-managing-paths-secrets.html#reference_f8139edb-f351-458c-b761-78bca57595fb__retrieving_a_secret
- vault-service-managing-paths-secrets.html#reference_f8139edb-f351-458c-b761-78bca57595fb__retrieving_list_of_key_names
- vault-service-managing-paths-secrets.html#reference_f8139edb-f351-458c-b761-78bca57595fb__deleting_a_secret
Additionally, Vault service provides one time secret sharing capability by wrapping the value. To use this capability, you can use the following APIs:
- vault-service-managing-paths-secrets.html#reference_a8e99740-c75a-4607-aa8a-77482b00f3c1__wrapping_in_response_wrapped_token
- vault-service-managing-paths-secrets.html#reference_a8e99740-c75a-4607-aa8a-77482b00f3c1__returning_wrapping_token_properties
- vault-service-managing-paths-secrets.html#reference_a8e99740-c75a-4607-aa8a-77482b00f3c1__rewrapping_response_wrapped_token
- vault-service-managing-paths-secrets.html#reference_a8e99740-c75a-4607-aa8a-77482b00f3c1__unwrapping_a_wrapped_response
APIs: Creating, Retrieving, and Deleting Paths and Secrets
You can use APIs to manage paths and secrets in Vault.
Storing a Secret
API | /secret |
Description | Stores a secret at the specified location. |
Method | POST/PUT |
URL | /secret/<path> Where, |
Parameters | key
Specify a key name paired with an associated value to be stored at the given path. You can specify multiple key/value pairs. You can retrieve all values using the read operation. |
Header | X-Vault-Token: <token> |
Returns | A 204 response code. |
Retrieving a Secret
API | /secret |
Description |
Retrieve the secret at the specified location. |
Method | GET |
URL | /secret/<path> Where, |
Parameters | None |
Header | X-Vault-Token: <token> |
Returns |
|
Retrieving a List of Key Names
API | /secret |
Description | Returns a list of key names at the specified location. Folders are suffixed with / . The input must be a folder; list on a file will not return a value. The values themselves are not accessible via this command.Note: Policy-based filtering is not performed on keys. Therefore do not encode sensitive information in key names. |
Method | LIST/GET |
URL | /secret/<path> (LIST) or /secret/<path>?list=true (GET)Where, |
Parameters | None |
Header | X-Vault-Token: <token> |
Returns |
The example below shows output for a query path of
|
Deleting a Secret
API | /secret |
Description | Deletes the secret at the specified location. |
Method | DELETE |
URL | /secret/<path> Where, |
Parameters | None |
Header | X-Vault-Token: <token> |
Returns | A 204 response code. |
APIs: One Time Secret Sharing
Vault service provides one time secret sharing capability by wrapping the specified value.
Wrapping a Value in a Response-Wrapped Token
API | /sys/wrapping/wrap |
Description | Wraps the user-specified data inside a response-wrapped token. |
Method | POST |
URL | /sys/wrapping/wrap |
Parameters | :any (map<string|string>: nil) (required)Specify keys:value pairs in a JSON object. The exact set of given parameters is contained in the wrapped response. |
Header | X-Vault-Token: <token> |
Sample Payload |
|
Sample Request |
|
Returns |
|
Returning Wrapping Token Properties
API | /sys/wrapping/lookup |
Description | Returns wrapping token properties. |
Method | POST |
URL | /sys/wrapping/lookup |
Parameters | token (required)Specifies the wrapping token Id. |
Header | X-Vault-Token: <token> |
Sample Payload |
|
Sample Request |
|
Returns |
|
Re-wrapping a Response-Wrapped Token
API | /sys/wrapping/rewrap |
Description | Re-wraps a response-wrapped token. The new token uses the same creation TTL as the original token and contains the same response. The old token is invalidated. This API is useful when you need to store a secret for a long time in a response-wrapped token that requires rotation. |
Method | POST |
URL | /sys/wrapping/rewrap |
Parameters | token (required)Specifies the wrapping token Id. |
Header | X-Vault-Token: <token> |
Sample Payload |
|
Sample Request |
|
Returns |
|
Unwrapping a Wrapped Response
API | /sys/wrapping/unwrap |
Description | Returns the original response inside the given wrapping token. The API validates the token, returns the original value, and ensures that the response is logged for audit purpose. |
Method | POST |
URL | /sys/wrapping/unwrap |
Parameters | token (required)Specifies the wrapping token Id. This parameter is not required if you use a wrapping token as the client token in the API call. It is required if you use a different token with permissions to access this endpoint. Note: Do not use the token parameter along with wrapping token as client token. This is considered double use of the token. In such a case, the Vault service revokes the wrapping token and you cannot lookup the value. |
Header | X-Vault-Token: <token> |
Sample Payload |
|
Sample Request |
|
Returns |
|