vault

vault copied to clipboard

Is your feature request related to a problem? Please describe. We have a Vault instance, for which we would like to have an automation to delete the secrets which was not retrieved in last xxx days. We couldn't find out the way to get the last retrieved timestamp for a secret.

Describe the solution you'd like We are looking for a API or a vault CLI, which will give the last retrieved timestamp for a secret.

Thanks for filing this ticket. I would like to first point to our doc page on lease revocation here to make sure what is already supported would meet your requirement. From that page, With every dynamic secret and service type authentication token, Vault creates a lease: metadata containing information such as a time duration, renewability, and more. Vault promises that the data will be valid for the given duration, or Time To Live (TTL). Once the lease is expired, Vault can automatically revoke the data, and the consumer of the secret can no longer be certain that it is valid. So, with what is described in the ticket, it is possible to define TTL of the lease to be xxx days, and then Vault will automatically revoke the secret.

Hi @reddy9694 - since it's been a little while since we've heard from you on this ticket, I'm going to go ahead and close it now. If Hamid's suggestion doesn't suit your needs, please feel free to re-open this issue or open a new one as needed. Thanks!

Hello Hamid, May be I was not clear earlier, we are looking for a vault cli or api, that gives the details for KV secret which was not retrieved from Vault in 'x' days.

The only way to do it in current Vault versions would be to have an external process parse the Vault audit log, and independently track last access time - as Vault itself just doesn't track last accessed time for KVs.