Demo Vault Secrets Engine

Prerequisites
1. Enable the KV v2 Secrets Engine
2. Read from an Empty Path
3. Storing Secrets
3.1 Create the First Version
3.2 Update with a Password
3.3 Add an API Key
4. Retrieve Secrets and Metadata
4.1 Fetch Both Data and Metadata
4.2 Fetch Only Metadata
5. Deleting Secrets
5.1 Soft Delete Latest Version
6. Using KV Engine Inside Kubernetes
Links and References

In this guide, you’ll learn how to enable and use the Key-Value (KV) version 2 secrets engine in HashiCorp Vault. The KV secrets engine allows you to securely store arbitrary secrets—like database credentials, API keys, or certificates—and manage multiple versions, metadata, and lifecycle operations.

Prerequisites

Vault CLI installed and configured
A running and unsealed Vault server
Vault Authentication set up for your environment

Ensure your Vault server is unsealed and your CLI is authenticated (vault login) before proceeding.

1. Enable the KV v2 Secrets Engine

Mount the KV v2 engine at the crds/ path:

vault secrets enable -path=crds kv-v2
# Success! Enabled the kv-v2 secrets engine at: crds/

2. Read from an Empty Path

If no data exists at crds/mysql, Vault returns an error:

vault kv get crds/mysql
# Error reading crds/mysql: no value found at crds/mysql

3. Storing Secrets

3.1 Create the First Version

Store only a username:

vault kv put crds/mysql username=root
# Key              Value
# ---              -----
# created_time     2021-08-31T11:17:38.755927206Z
# deletion_time    n/a
# destroyed        false
# version          1

3.2 Update with a Password

Add a password to create version 2:

vault kv put crds/mysql username=root password=12345
# Key              Value
# ---              -----
# created_time     2021-08-31T11:19:45.645227215Z
# deletion_time    n/a
# destroyed        false
# version          2

3.3 Add an API Key

You can append fields anytime (creates version 3):

vault kv put crds/mysql username=root password=12345 apiKey=Vbdj794MHUH8945tojrjf3
# Key              Value
# ---              -----
# created_time     2021-10-03T13:10:55.084433408Z
# deletion_time    n/a
# destroyed        false
# version          3

4. Retrieve Secrets and Metadata

Operation	Command	Description
Fetch data & metadata	`vault kv get crds/mysql`	Shows both secret values and metadata
Fetch only metadata	`vault kv metadata get crds/mysql`	Displays metadata and version history

4.1 Fetch Both Data and Metadata

vault kv get crds/mysql
# ====== Metadata ======
# Key              Value
# ---              -----
# created_time     2021-10-03T13:10:55.084433408Z
# deletion_time    n/a
# destroyed        false
# version          3
#
# ======= Data =======
# Key              Value
# ---              -----
# apiKey           Vbdj794MHUH8945tojrjf3
# password         12345
# username         root

4.2 Fetch Only Metadata

vault kv metadata get crds/mysql
# ==== Metadata ====
# Key                   Value
# ---                   -----
# cas_required          false
# created_time          2021-10-03T13:10:55.084433408Z
# current_version       3
# delete_version_after  0
# max_versions          10
# oldest_version        1
# updated_time          2021-10-03T13:10:55.084433408Z
#
# ==== Version 1 ====
# Key              Value
# ---              -----
# created_time     2021-08-31T11:17:38.755927206Z
# deletion_time    n/a
# destroyed        false

5. Deleting Secrets

5.1 Soft Delete Latest Version

vault kv delete crds/mysql
# Success! Data deleted (if it existed) at: crds/mysql

Reading now shows the deleted version’s metadata:

vault kv get crds/mysql
# ====== Metadata ======
# Key              Value
# ---              -----
# created_time     2021-10-03T13:10:55.084433408Z
# deletion_time    2021-10-03T13:10:56.084433408Z
# destroyed        true
# version          3

Soft-deleted versions can be undeleted until permanently destroyed. To irreversibly remove versions, use vault kv destroy.

6. Using KV Engine Inside Kubernetes

If Vault is running in Kubernetes, exec into the pod to run the same commands:

kubectl get pods
# NAME                                   READY   STATUS    RESTARTS   AGE
# vault-0                                1/1     Running   0          21m
kubectl exec -it vault-0 -- /bin/sh
/ # vault secrets enable -path=crds kv-v2
/ # vault kv put crds/mysql username=root password=12345
/ # vault kv get crds/mysql

After adding secrets, configure authentication methods and attach policies so applications can securely access your KV paths. See Vault Policies for more details.

Links and References

Watch Video

Demo Vault Initialization

Demo Vault Authorization

⌘I

Introduction

Kubernetes Operations and Security

Additional Topics

Dev Ops Pipeline

Dev Sec Ops Pipeline

Hashi Corp Vault Kubernetes

Demo Vault Secrets Engine

Prerequisites

1. Enable the KV v2 Secrets Engine

2. Read from an Empty Path

3. Storing Secrets

3.1 Create the First Version

3.2 Update with a Password

3.3 Add an API Key

4. Retrieve Secrets and Metadata

4.1 Fetch Both Data and Metadata

4.2 Fetch Only Metadata

5. Deleting Secrets

5.1 Soft Delete Latest Version

6. Using KV Engine Inside Kubernetes

Links and References

Watch Video

Introduction

Kubernetes Operations and Security

Additional Topics

Dev Ops Pipeline

Dev Sec Ops Pipeline

Hashi Corp Vault Kubernetes

​Prerequisites

​1. Enable the KV v2 Secrets Engine

​2. Read from an Empty Path

​3. Storing Secrets

​3.1 Create the First Version

​3.2 Update with a Password

​3.3 Add an API Key

​4. Retrieve Secrets and Metadata

​4.1 Fetch Both Data and Metadata

​4.2 Fetch Only Metadata

​5. Deleting Secrets

​5.1 Soft Delete Latest Version

​6. Using KV Engine Inside Kubernetes

​Links and References

Watch Video

Prerequisites

1. Enable the KV v2 Secrets Engine

2. Read from an Empty Path

3. Storing Secrets

3.1 Create the First Version

3.2 Update with a Password

3.3 Add an API Key

4. Retrieve Secrets and Metadata

4.1 Fetch Both Data and Metadata

4.2 Fetch Only Metadata

5. Deleting Secrets

5.1 Soft Delete Latest Version

6. Using KV Engine Inside Kubernetes

Links and References