Patch versioned key/value data
Use the patch process to update specific values or add new key/value pairs to
an existing data path in the kv
v2 plugin.
Assumptions
- You have set up a
kv
v2 plugin. - Your authentication token has appropriate permissions for the
kv
v2 plugin:patch
permission to make direct updates withPATCH
actions.create
+update
permission to make indirect updates by combiningGET
andPOST
actions.
Use the vault kv patch
command and set the
-cas
flag to the expected data version to perform a check-and-set operation
before applying the patch:
$ vault kv patch \ -cas <target_version> \ -max-versions <max_versions> \ -mount <mount_path> \ <secret_path> \ <key_name>=<key_value>
For example:
$ vault kv patch -cas 2 -mount shared dev/square-api prod=5678 ======= Secret Path =======shared/data/dev/square-api ======= Metadata =======Key Value--- -----created_time 2024-11-13T21:52:10.326204209Zcustom_metadata <nil>deletion_time n/adestroyed falseversion 2
If the -cas
version is older than the current version of data at the target
path, the patch fails:
$ vault kv patch -cas 1 -mount shared dev/square-api prod=5678 Error writing data to shared/data/dev/square-api: Error making API request. URL: PATCH http://192.168.0.1:8200/v1/shared/data/dev/square-apiCode: 400. Errors: * check-and-set parameter did not match the current version
To force a patch, you can exclude the -cas
flag or use the
read+write
patch method with the -method
flag. For example:
$ vault kv patch -method rw -mount shared dev/square-api prod=5678 ======= Secret Path =======shared/data/dev/square-api ======= Metadata =======Key Value--- -----created_time 2024-11-13T21:58:32.128442898Zcustom_metadata <nil>deletion_time n/adestroyed falseversion 3
Instead of using an HTTP PATCH
action, the read+write
method uses a sequence
of GET
and POST
operations to fetch the most recent version of data stored
at the targeted path, perform an in-memory update to the targeted keys, then
push the update to the plugin.