Vault Patch Method

With the release of HashiCorp Vault 1.9.0, managing secrets has become even more streamlined and efficient. One of the standout features? The ability to update only specified secrets, giving users precise control over their credentials within Vault.

Imagine this: You want to update particular field(secret) in Vault location without touching others. Here, I shared a boilerplate code to how to achieve this.


VAULT_LOCATION="secret/data/global/artifactory" # kv2 secret engine

VAULT_REQUEST_TEST=$(curl -Ss --header "X-Vault-Token: $VAULT_TOKEN" $VAULT_ADDR/v1/$VAULT_LOCATION | jq -r '.data?.data? // empty')

[[ "${VAULT_REQUEST_TEST}" ]] && vaultExtraArgs=(-X PATCH --header 'Content-Type: application/merge-patch+json') || vaultExtraArgs=(-X POST)


jq -n --arg pass 'sos3cr3t' '{data:{password:$pass}}' | curl -Ss "${vaultExtraArgs[@]}" --header "X-Vault-Token: $VAULT_TOKEN" -d @- $VAULT_ADDR/v1/$VAULT_LOCATION

Note: The calling token must have an ACL policy granting the patch capability.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.