vault UI - Patch Secret

Is your feature request related to a problem? Please describe. Some users don't have to have a read permission on secrets, but still are able patch a secret. Such user is forced to use Vault CLI or API, because patch is not implemented in UI.

Describe the solution you'd like UI supports "patch secret" in an user-friendly way.

Describe alternatives you've considered Vault CLI or API.

Explain any additional use-cases A developer should be able to rotate a secret, but not be able to use the secret for local development//testing.

Mar 02 '22 07:03 AdrianFarmadin

I would argue that this is already implemented in the UI without a separate "patch" or "update" button.

Whenever you patch a secret it will not remove unspecified old key-value pairs from your secret. It will only either update existing ones or add a new key-value pair. Whenever you update a secret it will completely overwrite the secret's content, this includes deleting old entries if not specified. Both of the operations create a new version.

Now looking at the UI. If you press "create new version" it will pre-fill the already existing key-value pairs. You are now allowed to change these pairs or delete them. This is both derived from the patch and update functionality.

I hope this helps!

Mar 09 '22 08:03 RemcoBuddelmeijer

Thank you, @RemcoBuddelmeijer! That's very helpful. @AdrianFarmadin please let me know if this answers your use case, or if you can provide more information about what you're looking for. Thanks!

Mar 09 '22 16:03 heatherezell

Let me better describe the use-case.

A user A creates a secret in "kv/show/some/path" with following values:

key1 = value1
key2 = value2
key3 = value3

Another user B with write-only policy granted needs to update the key1

Wrtie-only policy:

path "kv/data/*" {
  capabilities = [ "create", "update", "patch", "delete", "list" ]
}

path "kv/metadata/*" {
  capabilities = [ "read", "list" ]
}

write-only-policy

The user B can open the secret path and edit the secret, but can't view any values: write-only-view

The user B clicks on "Create new version +" and defines only key1 with new value. The new secret version will contain only the single defined key. edit-secret-write-only

New version new-secret-version

Patch Secret functionality allows an user to update a single key without overwriting the other keys. https://www.vaultproject.io/api-docs/secret/kv/kv-v2#patch-secret

It would be great if an user had a possibility to choose if he wants to overwrite the secret or update defined keys.

Mar 10 '22 11:03 AdrianFarmadin

Hi @AdrianFarmadin - can you confirm your Vault version? I believe we fixed this in a relatively recent release, but I'd like to make sure. Thanks!

Mar 10 '22 22:03 heatherezell

Version: Vault v1.9.4 Version Sha: fcbe948b2542a13ee8036ad07dd8ebf8554f56cb

Image: vault:latest vault@sha256:6c551f51032fdefc676576c94eb810741214dcaf9670ac0700a4ca71753b4ff5

Mar 11 '22 06:03 AdrianFarmadin

@hsimon-hashicorp any update?

Should Vault v1.9.4 contain a fix?

Mar 21 '22 06:03 AdrianFarmadin

Same here in Vault v1.10.0 (7738ec5d0d6f5bf94a809ee0f6ff0142cfa525a6)

Apr 19 '22 08:04 evan361425

This is still the behavior in 1.14.0.

Jun 28 '23 14:06 tcoenraad

Can /ui/vault/tools/api-explorer not be updated to also include a PATCH endoint for /kv/data/{path} ?

Aug 14 '24 11:08 TrueBurn

This has been implemented in Vault Enterprise as of 1.18. We will continue to evaluate possible inclusion into CE, depending on customer needs and product leadership decisions. Please feel free to comment here if you are a CE user and wish for this to be included in the future. Thanks!

Dec 12 '24 21:12 heatherezell