kv

package module
v0.26.2 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 20, 2026 License: MPL-2.0 Imports: 36 Imported by: 40

README

Vault Plugin: Key-Value Secrets Backend Build Status

This is a standalone backend plugin for use with Hashicorp Vault. This plugin provides Key-Value functionality to Vault.

Please note: We take Vault's security and our users' trust very seriously. If you believe you have found a security issue in Vault, please responsibly disclose by contacting us at security@hashicorp.com.

- Vault Website: https://www.vaultproject.io
- KV Docs: https://www.vaultproject.io/docs/secrets/kv/index.html
- Main Project Github: https://www.github.com/hashicorp/vault

Getting Started

This is a Vault plugin and is meant to work with Vault. This guide assumes you have already installed Vault and have a basic understanding of how Vault works.

Otherwise, first read this guide on how to get started with Vault.

To learn specifically about how plugins work, see documentation on Vault plugins.

Usage

Please see documentation for the plugin on the Vault website.

This plugin is currently built into Vault and by default is accessed at kv. To enable this in a running Vault server:

$ vault secrets enable kv
Success! Enabled the kv secrets engine at: kv/

Additionally starting with Vault 0.10 this backend is by default mounted at secret/.

Developing

If you wish to work on this plugin, you'll first need Go installed on your machine (version 1.10+ is required).

For local dev first make sure Go is properly installed, including setting up a GOPATH. Next, clone this repository into $GOPATH/src/github.com/hashicorp/vault-plugin-secrets-kv. You can then download any required build tools by bootstrapping your environment:

$ make bootstrap

To compile a development version of this plugin, run make or make dev. This will put the plugin binary in the bin and $GOPATH/bin folders. dev mode will only generate the binary for your platform and is faster:

$ make
$ make dev

Once you've done that, there are two approaches to testing your new plugin version in Vault. You can add a temporary replace declaration in your local Vault checkout's go.mod (above the require declarations), such as:

replace github.com/hashicorp/vault-plugin-secrets-kv => /path/to/your/project/vault-plugin-secrets-kv

Alternatively, you could go through the plugin process. To do this, put the plugin binary into a location of your choice. This directory will be specified as the plugin_directory in the Vault config used to start the server.

...
plugin_directory = "path/to/plugin/directory"
...

Start a Vault server with this config file:

$ vault server -config=path/to/config.json ...
...

Once the server is started, register the plugin in the Vault server's plugin catalog:

$ vault plugin register \
        -sha256=<expected SHA256 Hex value of the plugin binary> \
        -command="vault-plugin-secrets-kv" \
        secret \
        kv

Note you should generate a new sha256 checksum if you have made changes to the plugin. Example using openssl:

openssl dgst -sha256 $GOPATH/vault-plugin-secrets-kv
...
SHA256(.../go/bin/vault-plugin-secrets-kv)= 896c13c0f5305daed381952a128322e02bc28a57d0c862a78cbc2ea66e8c6fa1

Enable the auth plugin backend using the secrets enable plugin command:

$ vault secrets enable -plugin-name='kv' plugin
...

Successfully enabled 'plugin' at 'kv'!
Tests

If you are developing this plugin and want to verify it is still functioning (and you haven't broken anything else), we recommend running the tests.

To run the tests, invoke make test:

$ make test

You can also specify a TESTARGS variable to filter tests like so:

$ make test TESTARGS='--run=TestConfig'

Documentation

Index

Constants

View Source 
const (
	ObservationTypeKVv1SecretRead   = "kvv1/secret/read"
	ObservationTypeKVv1SecretWrite  = "kvv1/secret/write"
	ObservationTypeKVv1SecretDelete = "kvv1/secret/delete"

	ObservationTypeKVv2SecretRead     = "kvv2/secret/read"
	ObservationTypeKVv2SecretWrite    = "kvv2/secret/write"
	ObservationTypeKVv2SecretDelete   = "kvv2/secret/delete"
	ObservationTypeKVv2SecretUndelete = "kvv2/secret/undelete"
	ObservationTypeKVv2SecretDestroy  = "kvv2/secret/destroy"
	ObservationTypeKVv2SecretPatch    = "kvv2/secret/patch"
	ObservationTypeKVv2ConfigRead     = "kvv2/config/read"
	ObservationTypeKVv2ConfigWrite    = "kvv2/config/write"
	ObservationTypeKVv2MetadataRead   = "kvv2/metadata/read"
	ObservationTypeKVv2MetadataWrite  = "kvv2/metadata/write"
	ObservationTypeKVv2MetadataDelete = "kvv2/metadata/delete"
	ObservationTypeKVv2MetadataPatch  = "kvv2/metadata/patch"
)

Variables

View Source 
var File_types_proto protoreflect.FileDescriptor

Functions

func Factory 

func Factory(ctx context.Context, conf *logical.BackendConfig) (logical.Backend, error)

Factory will return a logical backend of type versionedKVBackend or PassthroughBackend based on the config passed in.

func LeaseSwitchedPassthroughBackendFactory added in v0.20.0 

func LeaseSwitchedPassthroughBackendFactory(ctx context.Context, conf *logical.BackendConfig, leases bool) (logical.Backend, error)

LeaseSwitchedPassthroughBackendFactory returns a PassthroughBackend with leases switched on or off

func LeasedPassthroughBackendFactory 

func LeasedPassthroughBackendFactory(ctx context.Context, conf *logical.BackendConfig) (logical.Backend, error)

LeasedPassthroughBackendFactory returns a PassthroughBackend with leases switched on

func PassthroughBackendFactory 

func PassthroughBackendFactory(ctx context.Context, conf *logical.BackendConfig) (logical.Backend, error)

PassthroughBackendFactory returns a PassthroughBackend with leases switched off

func VersionedKVFactory 

func VersionedKVFactory(ctx context.Context, conf *logical.BackendConfig) (logical.Backend, error)

VersionedKVFactory returns a new KVV2 backend as logical.Backend.

Types

type AdditionalKVMetadata added in v0.22.0 

type AdditionalKVMetadata struct {
	// contains filtered or unexported fields
}

type Attribution added in v0.25.0 

type Attribution struct {

	// actor is the display name of the actor who performed the given operation
	Actor string `protobuf:"bytes,1,opt,name=actor,proto3" json:"actor,omitempty"`
	// operation is the action that was taken
	Operation string `protobuf:"bytes,2,opt,name=operation,proto3" json:"operation,omitempty"`
	// entity_id is the entity_id of the actor who performed the given operation
	EntityId string `protobuf:"bytes,3,opt,name=entity_id,json=entityId,proto3" json:"entity_id,omitempty"`
	// client_id is the client_id presented as part of the request for the given operation
	ClientId string `protobuf:"bytes,4,opt,name=client_id,json=clientId,proto3" json:"client_id,omitempty"`
	// contains filtered or unexported fields
}

func (*Attribution) Descriptor deprecated added in v0.25.0 

func (*Attribution) Descriptor() ([]byte, []int)

Deprecated: Use Attribution.ProtoReflect.Descriptor instead.

func (*Attribution) GetActor added in v0.25.0 

func (x *Attribution) GetActor() string

func (*Attribution) GetClientId added in v0.25.0 

func (x *Attribution) GetClientId() string

func (*Attribution) GetEntityId added in v0.25.0 

func (x *Attribution) GetEntityId() string

func (*Attribution) GetOperation added in v0.25.0 

func (x *Attribution) GetOperation() string

func (*Attribution) ProtoMessage added in v0.25.0 

func (*Attribution) ProtoMessage()

func (*Attribution) ProtoReflect added in v0.25.0 

func (x *Attribution) ProtoReflect() protoreflect.Message

func (*Attribution) Reset added in v0.25.0 

func (x *Attribution) Reset()

func (*Attribution) String added in v0.25.0 

func (x *Attribution) String() string

type Configuration 

type Configuration struct {
	MaxVersions        uint32               `protobuf:"varint,1,opt,name=max_versions,json=maxVersions,proto3" json:"max_versions,omitempty"`
	CasRequired        bool                 `protobuf:"varint,2,opt,name=cas_required,json=casRequired,proto3" json:"cas_required,omitempty"`
	DeleteVersionAfter *durationpb.Duration `protobuf:"bytes,3,opt,name=delete_version_after,json=deleteVersionAfter,proto3" json:"delete_version_after,omitempty"`
	// contains filtered or unexported fields
}

If values are added to this, be sure to update the config() function

func (*Configuration) Descriptor deprecated 

func (*Configuration) Descriptor() ([]byte, []int)

Deprecated: Use Configuration.ProtoReflect.Descriptor instead.

func (*Configuration) DisableDeleteVersionAfter added in v0.5.2 

func (c *Configuration) DisableDeleteVersionAfter()

DisableDeleteVersionAfter disables DeleteVersionAfter.

func (*Configuration) GetCasRequired 

func (x *Configuration) GetCasRequired() bool

func (*Configuration) GetDeleteVersionAfter added in v0.5.2 

func (x *Configuration) GetDeleteVersionAfter() *durationpb.Duration

func (*Configuration) GetMaxVersions 

func (x *Configuration) GetMaxVersions() uint32

func (*Configuration) IsDeleteVersionAfterDisabled added in v0.5.2 

func (c *Configuration) IsDeleteVersionAfterDisabled() bool

IsDeleteVersionAfterDisabled returns true if DeleteVersionAfter is disabled.

func (*Configuration) ProtoMessage 

func (*Configuration) ProtoMessage()

func (*Configuration) ProtoReflect added in v0.10.0 

func (x *Configuration) ProtoReflect() protoreflect.Message

func (*Configuration) Reset 

func (x *Configuration) Reset()

func (*Configuration) ResetDeleteVersionAfter added in v0.5.2 

func (c *Configuration) ResetDeleteVersionAfter()

ResetDeleteVersionAfter resets the DeleteVersionAfter to the default value.

func (*Configuration) String 

func (x *Configuration) String() string

type KeyMetadata 

type KeyMetadata struct {

	// Key is the key for this entry
	Key string `protobuf:"bytes,1,opt,name=key,proto3" json:"key,omitempty"`
	// Versions is the map of versionID -> VersionMetadata.
	// Useful when listing all versions.
	Versions map[uint64]*VersionMetadata `` /* 144-byte string literal not displayed */
	// CurrentVersion is the latest version of the value
	CurrentVersion uint64 `protobuf:"varint,3,opt,name=current_version,json=currentVersion,proto3" json:"current_version,omitempty"`
	// OldestVersion is the oldest version of the value.
	OldestVersion uint64 `protobuf:"varint,4,opt,name=oldest_version,json=oldestVersion,proto3" json:"oldest_version,omitempty"`
	// Created time is when the metadata was created.
	CreatedTime *timestamppb.Timestamp `protobuf:"bytes,5,opt,name=created_time,json=createdTime,proto3" json:"created_time,omitempty"`
	// Updated time was the last time the metadata version
	// was updated.
	UpdatedTime *timestamppb.Timestamp `protobuf:"bytes,6,opt,name=updated_time,json=updatedTime,proto3" json:"updated_time,omitempty"`
	// MaxVersions specifies how many versions to keep around.
	// If empty value, defaults to the configured Max
	// for the mount.
	MaxVersions uint32 `protobuf:"varint,7,opt,name=max_versions,json=maxVersions,proto3" json:"max_versions,omitempty"`
	// CasRequired specifies if the cas parameter is
	// required for this key
	CasRequired bool `protobuf:"varint,8,opt,name=cas_required,json=casRequired,proto3" json:"cas_required,omitempty"`
	// DeleteVersionAfter specifies how long to keep versions around. If
	// empty value, defaults to the configured delete_version_after for the
	// mount.
	DeleteVersionAfter *durationpb.Duration `protobuf:"bytes,9,opt,name=delete_version_after,json=deleteVersionAfter,proto3" json:"delete_version_after,omitempty"`
	// CustomMetadata is a map of string key-value pairs used to store
	// user-provided information about the secret.
	CustomMetadata map[string]string `` /* 178-byte string literal not displayed */
	// LastUpdatedBy is the display name of the last entity to update this key
	LastUpdatedBy *Attribution `protobuf:"bytes,11,opt,name=last_updated_by,json=lastUpdatedBy,proto3" json:"last_updated_by,omitempty"`
	// contains filtered or unexported fields
}

func (*KeyMetadata) AddVersion 

func (k *KeyMetadata) AddVersion(createdTime, deletionTime *timestamp.Timestamp, configMaxVersions uint32) (*VersionMetadata, uint64)

AddVersion adds a version to the key metadata and moves the sliding window of max versions. It returns the newly added version and the version to delete from storage.

func (*KeyMetadata) Descriptor deprecated 

func (*KeyMetadata) Descriptor() ([]byte, []int)

Deprecated: Use KeyMetadata.ProtoReflect.Descriptor instead.

func (*KeyMetadata) GetCasRequired 

func (x *KeyMetadata) GetCasRequired() bool

func (*KeyMetadata) GetCreatedTime 

func (x *KeyMetadata) GetCreatedTime() *timestamppb.Timestamp

func (*KeyMetadata) GetCurrentVersion 

func (x *KeyMetadata) GetCurrentVersion() uint64

func (*KeyMetadata) GetCustomMetadata added in v0.10.0 

func (x *KeyMetadata) GetCustomMetadata() map[string]string

func (*KeyMetadata) GetDeleteVersionAfter added in v0.5.2 

func (x *KeyMetadata) GetDeleteVersionAfter() *durationpb.Duration

func (*KeyMetadata) GetKey 

func (x *KeyMetadata) GetKey() string

func (*KeyMetadata) GetLastUpdatedBy added in v0.25.0 

func (x *KeyMetadata) GetLastUpdatedBy() *Attribution

func (*KeyMetadata) GetMaxVersions 

func (x *KeyMetadata) GetMaxVersions() uint32

func (*KeyMetadata) GetOldestVersion 

func (x *KeyMetadata) GetOldestVersion() uint64

func (*KeyMetadata) GetUpdatedTime 

func (x *KeyMetadata) GetUpdatedTime() *timestamppb.Timestamp

func (*KeyMetadata) GetVersions 

func (x *KeyMetadata) GetVersions() map[uint64]*VersionMetadata

func (*KeyMetadata) ProtoMessage 

func (*KeyMetadata) ProtoMessage()

func (*KeyMetadata) ProtoReflect added in v0.10.0 

func (x *KeyMetadata) ProtoReflect() protoreflect.Message

func (*KeyMetadata) Reset 

func (x *KeyMetadata) Reset()

func (*KeyMetadata) String 

func (x *KeyMetadata) String() string

type PassthroughBackend 

type PassthroughBackend struct {
	*framework.Backend
	// contains filtered or unexported fields
}

PassthroughBackend is used storing secrets directly into the physical backend. The secrets are encrypted in the durable storage and custom TTL information can be specified, but otherwise this backend doesn't do anything fancy.

type UpgradeInfo 

type UpgradeInfo struct {

	// Started time is when the upgrade was started.
	StartedTime *timestamppb.Timestamp `protobuf:"bytes,1,opt,name=started_time,json=startedTime,proto3" json:"started_time,omitempty"`
	// done is set to true once the backend has been successfully
	// upgraded.
	Done bool `protobuf:"varint,2,opt,name=done,proto3" json:"done,omitempty"`
	// contains filtered or unexported fields
}

func (*UpgradeInfo) Descriptor deprecated 

func (*UpgradeInfo) Descriptor() ([]byte, []int)

Deprecated: Use UpgradeInfo.ProtoReflect.Descriptor instead.

func (*UpgradeInfo) GetDone 

func (x *UpgradeInfo) GetDone() bool

func (*UpgradeInfo) GetStartedTime 

func (x *UpgradeInfo) GetStartedTime() *timestamppb.Timestamp

func (*UpgradeInfo) ProtoMessage 

func (*UpgradeInfo) ProtoMessage()

func (*UpgradeInfo) ProtoReflect added in v0.10.0 

func (x *UpgradeInfo) ProtoReflect() protoreflect.Message

func (*UpgradeInfo) Reset 

func (x *UpgradeInfo) Reset()

func (*UpgradeInfo) String 

func (x *UpgradeInfo) String() string

type Version 

type Version struct {

	// Data is a JSON object with string keys that
	// represents the user supplied data.
	Data []byte `protobuf:"bytes,1,opt,name=data,proto3" json:"data,omitempty"`
	// CreatedTime is when the version was created.
	CreatedTime *timestamppb.Timestamp `protobuf:"bytes,2,opt,name=created_time,json=createdTime,proto3" json:"created_time,omitempty"`
	// DeletionTime is the time this version becomes invalid.
	// Set to Now() to delete the version before the configured
	// deletion time.
	DeletionTime *timestamppb.Timestamp `protobuf:"bytes,3,opt,name=deletion_time,json=deletionTime,proto3" json:"deletion_time,omitempty"`
	// contains filtered or unexported fields
}

func (*Version) Descriptor deprecated 

func (*Version) Descriptor() ([]byte, []int)

Deprecated: Use Version.ProtoReflect.Descriptor instead.

func (*Version) GetCreatedTime 

func (x *Version) GetCreatedTime() *timestamppb.Timestamp

func (*Version) GetData 

func (x *Version) GetData() []byte

func (*Version) GetDeletionTime 

func (x *Version) GetDeletionTime() *timestamppb.Timestamp

func (*Version) ProtoMessage 

func (*Version) ProtoMessage()

func (*Version) ProtoReflect added in v0.10.0 

func (x *Version) ProtoReflect() protoreflect.Message

func (*Version) Reset 

func (x *Version) Reset()

func (*Version) String 

func (x *Version) String() string

type VersionMetadata 

type VersionMetadata struct {

	// CreatedTime is when the version was created.
	CreatedTime *timestamppb.Timestamp `protobuf:"bytes,1,opt,name=created_time,json=createdTime,proto3" json:"created_time,omitempty"`
	// DeletionTime is the time this version becomes invalid.
	// Set to Now() to delete the version before the configured
	// delete time.
	DeletionTime *timestamppb.Timestamp `protobuf:"bytes,2,opt,name=deletion_time,json=deletionTime,proto3" json:"deletion_time,omitempty"`
	// Destroyed is used to specify this version is
	// a has been removed and the underlying data deleted.
	Destroyed bool `protobuf:"varint,3,opt,name=destroyed,proto3" json:"destroyed,omitempty"`
	// CreatedBy is the attribution data for the actor who created this
	// version
	CreatedBy *Attribution `protobuf:"bytes,4,opt,name=created_by,json=createdBy,proto3" json:"created_by,omitempty"`
	// Deleted by is the attribution data for the actor who created this
	// version of the secret
	DeletedBy *Attribution `protobuf:"bytes,5,opt,name=deleted_by,json=deletedBy,proto3" json:"deleted_by,omitempty"`
	// contains filtered or unexported fields
}

func (*VersionMetadata) Descriptor deprecated 

func (*VersionMetadata) Descriptor() ([]byte, []int)

Deprecated: Use VersionMetadata.ProtoReflect.Descriptor instead.

func (*VersionMetadata) GetCreatedBy added in v0.25.0 

func (x *VersionMetadata) GetCreatedBy() *Attribution

func (*VersionMetadata) GetCreatedTime 

func (x *VersionMetadata) GetCreatedTime() *timestamppb.Timestamp

func (*VersionMetadata) GetDeletedBy added in v0.25.0 

func (x *VersionMetadata) GetDeletedBy() *Attribution

func (*VersionMetadata) GetDeletionTime 

func (x *VersionMetadata) GetDeletionTime() *timestamppb.Timestamp

func (*VersionMetadata) GetDestroyed 

func (x *VersionMetadata) GetDestroyed() bool

func (*VersionMetadata) ProtoMessage 

func (*VersionMetadata) ProtoMessage()

func (*VersionMetadata) ProtoReflect added in v0.10.0 

func (x *VersionMetadata) ProtoReflect() protoreflect.Message

func (*VersionMetadata) Reset 

func (x *VersionMetadata) Reset()

func (*VersionMetadata) String 

func (x *VersionMetadata) String() string

Source Files

View all Source files

Directories

Path Synopsis
cmd
vault-plugin-secrets-kv command

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.