manintheit.org

manintheit.org


Vault Patch Method

With the release of HashiCorp Vault 1.9.0, managing secrets has become even more streamlined and efficient. One of the standout features? The ability to update only specified secrets, giving users precise control over their credentials within Vault.

Imagine this: You want to update particular field(secret) in Vault location without touching others. Here, I shared a boilerplate code to how to achieve this.

#!/bin/bash

VAULT_ADDR="http://vault:8200"
VAULT_LOCATION="secret/data/global/artifactory" # kv2 secret engine
VAULT_TOKEN="<token>"
vaultExtraArgs=()

VAULT_REQUEST_TEST=$(curl -Ss --header "X-Vault-Token: $VAULT_TOKEN" $VAULT_ADDR/v1/$VAULT_LOCATION | jq -r '.data?.data? // empty')

[[ "${VAULT_REQUEST_TEST}" ]] && vaultExtraArgs=(-X PATCH --header 'Content-Type: application/merge-patch+json') || vaultExtraArgs=(-X POST)

echo "${VAULT_REQUEST_TEST}"

jq -n --arg pass 'sos3cr3t' '{data:{password:$pass}}' | curl -Ss "${vaultExtraArgs[@]}" --header "X-Vault-Token: $VAULT_TOKEN" -d @- $VAULT_ADDR/v1/$VAULT_LOCATION

Note: The calling token must have an ACL policy granting the patch capability.



Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.