Documentation Index Fetch the complete documentation index at: https://notes.kodekloud.com/llms.txt
Use this file to discover all available pages before exploring further.
In this guide, you’ll learn how to enable and use the Key-Value (KV) version 2 secrets engine in HashiCorp Vault. The KV secrets engine allows you to securely store arbitrary secrets—like database credentials, API keys, or certificates—and manage multiple versions, metadata, and lifecycle operations.
Prerequisites
Vault CLI installed and configured
A running and unsealed Vault server
Vault Authentication set up for your environment
Ensure your Vault server is unsealed and your CLI is authenticated (vault login) before proceeding.
1. Enable the KV v2 Secrets Engine Mount the KV v2 engine at the crds/ path:
vault secrets enable -path=crds kv-v2 # Success! Enabled the kv-v2 secrets engine at: crds/
2. Read from an Empty Path If no data exists at crds/mysql, Vault returns an error:
vault kv get crds/mysql # Error reading crds/mysql: no value found at crds/mysql
3. Storing Secrets 3.1 Create the First Version Store only a username:
vault kv put crds/mysql username=root # Key Value # --- ----- # created_time 2021-08-31T11:17:38.755927206Z # deletion_time n/a # destroyed false # version 1
3.2 Update with a Password Add a password to create version 2:
vault kv put crds/mysql username=root password= 12345 # Key Value # --- ----- # created_time 2021-08-31T11:19:45.645227215Z # deletion_time n/a # destroyed false # version 2
3.3 Add an API Key You can append fields anytime (creates version 3):
vault kv put crds/mysql username=root password= 12345 apiKey=Vbdj794MHUH8945tojrjf3 # Key Value # --- ----- # created_time 2021-10-03T13:10:55.084433408Z # deletion_time n/a # destroyed false # version 3
Operation Command Description Fetch data & metadata vault kv get crds/mysqlShows both secret values and metadata Fetch only metadata vault kv metadata get crds/mysqlDisplays metadata and version history
vault kv get crds/mysql # ====== Metadata ====== # Key Value # --- ----- # created_time 2021-10-03T13:10:55.084433408Z # deletion_time n/a # destroyed false # version 3 # # ======= Data ======= # Key Value # --- ----- # apiKey Vbdj794MHUH8945tojrjf3 # password 12345 # username root
vault kv metadata get crds/mysql # ==== Metadata ==== # Key Value # --- ----- # cas_required false # created_time 2021-10-03T13:10:55.084433408Z # current_version 3 # delete_version_after 0 # max_versions 10 # oldest_version 1 # updated_time 2021-10-03T13:10:55.084433408Z # # ==== Version 1 ==== # Key Value # --- ----- # created_time 2021-08-31T11:17:38.755927206Z # deletion_time n/a # destroyed false
5. Deleting Secrets 5.1 Soft Delete Latest Version vault kv delete crds/mysql # Success! Data deleted (if it existed) at: crds/mysql
Reading now shows the deleted version’s metadata:
vault kv get crds/mysql # ====== Metadata ====== # Key Value # --- ----- # created_time 2021-10-03T13:10:55.084433408Z # deletion_time 2021-10-03T13:10:56.084433408Z # destroyed true # version 3
Soft-deleted versions can be undeleted until permanently destroyed. To irreversibly remove versions, use vault kv destroy.
6. Using KV Engine Inside Kubernetes If Vault is running in Kubernetes, exec into the pod to run the same commands:
kubectl get pods # NAME READY STATUS RESTARTS AGE # vault-0 1/1 Running 0 21m kubectl exec -it vault-0 -- /bin/sh / # vault secrets enable -path=crds kv-v2 / # vault kv put crds/mysql username=root password=12345 / # vault kv get crds/mysql
After adding secrets, configure authentication methods and attach policies so applications can securely access your KV paths. See Vault Policies for more details. Links and References 
