OwlDocsSecret Manager
Securely manage secrets with Vault.
KV Secret Engine
The KV (Key-Value) Secret Engine is Vault's default secrets engine, ideal for storing arbitrary secrets such as API keys, passwords, or configuration values. It serves as a secure alternative to traditional environment files.
This guide focuses on using the Vault CLI rather than the UI.
Enabling the KV Secret Engine
First, you need to set the VAULT_ADDR environment variable. You can do this by adding it to your ~/.bashrc or ~/.zshrc file for persistent use, or by defining it temporarily in your current shell session.
export VAULT_ADDR='http://127.0.0.1:8200'The address points to the local instance of Vault since it is not being used in a clustered setup.
To enable the KV secret engine at a specific path (e.g., secret/), you must first log in as a user. Use the following command :
vault loginNext, provide your authentication token (e.g., root token or another valid token) to proceed.
Now that we are logged in, we can enable the KV Secret Engine. Simply run the following command to activate the engine at the specified path (e.g., secret/) :
vault secrets enable -path=secret -version=2 kvCongratulations! You have successfully enabled your first KV Secret Engine.
If you wish to disable the KV Secret Engine, you can do so by running the following command :
vault secrets disable secretManaging Secrets in KV
In this section, we will learn how to store, read, update, and delete secrets, as well as manage secret versions.
Storing Secrets
To store secrets in the newly enabled KV Secret Engine, use the following command :
vault kv put secret/{name_secret} mykey=myvalueAnd now, you have successfully saved your first secret !
Reading Secrets
To read a secret stored in the KV Secret Engine, use the following command :
vault kv get secret/{name_secret}Updating Secrets
To update an existing secret in the KV Secret Engine, use the same vault kv put command with the new key-value pairs. For example :
vault kv put secret/{name_secret} mykey=newvalueDeleting Secrets
To delete a secret from the KV Secret Engine, use the following command :
vault kv delete secret/{name_secret}Deleting Versions of a Secret
To delete a specific version of a secret in the KV Secret Engine, use the following command :
vault kv delete -version=1,2 secret/{name_secret}Or, if you want to permanently remove all versions and metadata for a secret, use :
vault kv metadata delete secret/{name_secret}Identity Secret Engine
The Identity Secret Engine in Vault manages users, groups, and metadata for fine-grained access control and integration with external identity providers.
Enabling the Userpass
To allow users to authenticate with a username and password, you need to enable the userpass authentication method. Run the following command :
vault auth enable userpassTo disable the userpass authentication method, use the following command :
vault auth disable userpassManaging the User
This section covers how to manage identities using the Vault Identity Secret Engine. You will learn how to create users, assign groups, and manage metadata for fine-grained access control.
Creating a User
To create a new user, use the following command :
vault write auth/userpass/users/{name_user} password="password123"Changing a User's Password
To change the password for an existing user, use the following command :
vault write auth/userpass/users/{name_user} password="new_password"Assigning Policies
To assign policies to a user, use the following command :
vault write auth/userpass/users/{name_user} policies="policy1, policy2"Listing Users
To list all users managed by the userpass authentication method, use the following command :
vault list auth/userpass/usersReading User Parameters
To read the parameters of a user in the userpass authentication method, use the following command :
vault read auth/userpass/users/{name_user}Deleting a User
To delete a user from the userpass authentication method, use the following command :
vault delete auth/userpass/users/{name_user}