I wish to delete all records under kv (versioned) using API [HTTP request]. Using CLI is a secondary preference.
我希望使用[HTTP请求]接口删除KV(版本)下的所有记录。使用CLI是次要选择。
Upon my research, I found that there is no way to delete all entries under kv
in one go.
在我的研究中,我发现没有办法一下子删除KV下的所有条目。
Instead we should first LIST
and then delete all records in a loop.
相反,我们应该首先列出,然后删除循环中的所有记录。
Below is my attempt on Listing all entries under the kv.
以下是我尝试列出KV下的所有条目。
Display path for kv
:
KV的显示路径:
C:\Users\meuser>curl -H "X-Vault-Token: s.XTEZVwE5WOill0as1HXV6w2Z" -H "X-Vault-Namespace: devops-vault-poc/" https://dal-vault.mybank.com/v1/sys/mounts
{"request_id":"93fdc050-d5d1-fbe2-df58-2a2bba04f19c","lease_id":"","renewable":false,"lease_duration":0,"data":{"cubbyhole/":{"accessor":"ns_cubbyhole_12e4f0fa","config":{"default_lease_ttl":0,"force_no_cache":false,"max_lease_ttl":0},"description":"per-token private secret storage","external_entropy_access":false,"local":true,"options":null,"seal_wrap":false,"type":"ns_cubbyhole","uuid":"b9276a30-73c0-5d2f-34c0-238b5830c572"},"identity/":{"accessor":"ns_identity_50d4ced6","config":{"default_lease_ttl":0,"force_no_cache":false,"max_lease_ttl":0},"description":"identity store","external_entropy_access":false,"local":false,"options":null,"seal_wrap":false,"type":"ns_identity","uuid":"8b5b546f-33d6-1234-6f38-9ddcde05c55d"},"kv/":{"accessor":"kv_b93d663b","config":{"default_lease_ttl":0,"force_no_cache":false,"max_lease_ttl":0},"description":"","external_entropy_access":false,"local":false,"options":{"version":"2"},"seal_wrap":false,"type":"kv","uuid":"42834004-f858-a734-e52d-6405d0e5ab73"},"sys/":{"accessor":"ns_system_573b63e0","config":{"default_lease_ttl":0,"force_no_cache":false,"max_lease_ttl":0},"description":"system endpoints used for control, policy and debugging","external_entropy_access":false,"local":false,"options":null,"seal_wrap":false,"type":"ns_system","uuid":"bfce2504-fff5-b74f-70a0-0b2fe3fb500d"}},"wrap_info":null,"warnings":null,"auth":null}
Attempt 1 to List entries:
尝试%1列出条目:
C:\Users\meuser>curl -H "X-Vault-Token: s.XTEZVwE5WOill0as1HXV6w2Z" -H "X-Vault-Namespace: devops-vault-poc/" -X LIST https://dal-vault.mybank.com/v1/kv
{"request_id":"884ad3f2-80c3-fb99-d5c9-83f059f41319","lease_id":"","renewable":false,"lease_duration":0,"data":null,"wrap_info":null,"warnings":["Invalid path for a versioned K/V secrets engine. See the API docs for the appropriate API endpoints to use. If using the Vault CLI, use 'vault kv list' for this operation."],"auth":null}
Attempt 2:
尝试2:
C:\Users\meuser>curl -H "X-Vault-Token: s.XTEZVwE5WOill0as1HXV6w2Z" -H "X-Vault-Namespace: devops-vault-poc/" -X LIST https://dal-vault.mybank.com/v1/kv/
{"request_id":"c898ffc6-7ac8-faa6-87aa-e8f57045c6d3","lease_id":"","renewable":false,"lease_duration":0,"data":null,"wrap_info":null,"warnings":["Invalid path for a versioned K/V secrets engine. See the API docs for the appropriate API endpoints to use. If using the Vault CLI, use 'vault kv list' for this operation."],"auth":null}
Attempt 3:
尝试3:
C:\Users\meuser>curl -H "X-Vault-Token: s.XTEZVwE5WOill0as1HXV6w2Z" -H "X-Vault-Namespace: devops-vault-poc/" -X LIST https://dal-vault.mybank.com/v1/kv/data/
{"errors":["1 error occurred:\n\t* unsupported operation\n\n"]}
更多回答
You could also re-create the secret engine mount to delete all records. Would that be an ok solution?
您还可以重新创建秘密引擎挂载以删除所有记录。这是一个可行的解决方案吗?
@MatthewSchuchard I would like to know that solution but I'm not sure how to. However, API to list and delete all key-value is my preference?
@MatthewSchuchard我想知道这个解决方案,但我不确定如何解决。但是,API列出和删除所有键-值是我的首选吗?
From the docs, to perform a LIST operation you need to use the /metadata/
paths. So the appropriate command for you would be
在文档中,要执行列表操作,您需要使用/METADATA/路径。因此,适合您的命令应该是
curl -H "X-Vault-Token: <token>" -H "X-Vault-Namespace: devops-vault-poc/" -X LIST https://dal-vault.mybank.com/v1/kv/metadata/
If you want to delete every secret, disable the mount and enable it again. It will mount a fresh new and empty copy.
如果要删除每个密码,请禁用装载并再次启用它。它将装载一个新的空拷贝。
Let's enable it and and put some secrets in it:
让我们启用它,并在其中加入一些秘密:
$ vault secrets enable --path kv --version 2 kv
$ vault kv put kv/hello a=42
$ vault kv put kv/world b=42
You'll have two secrets, hello
and world
:
你会有两个秘密,Hello和World:
$ vault kv list kv
Keys
----
hello
world
Now disable the mount :
现在禁用装载:
$ vault secrets disable kv
Success! Disabled the secrets engine (if it existed) at: kv/
Enable it again, see that it is empty:
再次启用它,看到它是空的:
$ vault secrets enable --path kv --version 2 kv
Success! Enabled the kv secrets engine at: kv/
~
$ vault kv list kv
No value found at kv/metadata
更多回答
我是一名优秀的程序员,十分优秀!