Skip to content

Use vault kv put instead of patch when modifying secrets

Marcel Chacon requested to merge mchacon-vault-kv-put into master

As per gitlab-com/gl-infra/production#9094 (comment 1364739346) using vault kv patch was having unintended consequences where the secret wasn't being updated with the expected structure, since patch was only adding the diff between the files, but wasn't removing the secrets from the old structure.

Using vault kv put instead is desirable so the new secret version is updated using the entire json value of the modified secret, and not just the diff.

Test with vault kv patch:

➜  runbooks git:(mchacon-vault-get-secret) ./bin/vault show-secret chef env/db-benchmarking/shared/test-secret
{
  "favorite-things": {
    "animal": "dog",
    "car": "tesla",
    "color": "blue",
    "food": "pizza",
    "place": "san francisco"
  },
  "password": "foopass",
  "user": "foo"
}
➜  runbooks git:(mchacon-vault-get-secret) ./bin/vault edit-secret chef env/db-benchmarking/shared/test-secret
Retrieving secret from Vault
Checking file is valid json
Creating new env/db-benchmarking/shared/test-secret version in Vault
================== Secret Path ==================
chef/data/env/db-benchmarking/shared/test-secret

======= Metadata =======
Key                Value
---                -----
created_time       2023-04-25T13:14:51.532720345Z
custom_metadata    <nil>
deletion_time      n/a
destroyed          false
version            14
Updated secret:
{
  "database": {
    "password": "foopass",
    "user": "foo"
  },
  "favorite-things": {
    "animal": "dog",
    "car": "tesla",
    "color": "blue",
    "food": "pizza",
    "place": "san francisco"
  },
  "password": "foopass",
  "user": "foo"
}

Test while using vault kv put:

➜  runbooks git:(mchacon-vault-get-secret) ✗ ./bin/vault edit-secret chef env/db-benchmarking/shared/test-secret
Retrieving secret from Vault
Checking file is valid json
Creating new env/db-benchmarking/shared/test-secret version in Vault
================== Secret Path ==================
chef/data/env/db-benchmarking/shared/test-secret

======= Metadata =======
Key                Value
---                -----
created_time       2023-04-25T13:17:08.936880703Z
custom_metadata    <nil>
deletion_time      n/a
destroyed          false
version            15
Updated secret:
{
  "database": {
    "password": "foopass",
    "user": "foo"
  },
  "favorite-things": {
    "animal": "dog",
    "car": "tesla",
    "color": "blue",
    "food": "pizza",
    "place": "san francisco"
  }
}

We can now see the user and password being removed.

Edited by Marcel Chacon

Merge request reports