Welcome to this step-by-step guide on using the KV secrets engine version 1 in HashiCorp Vault. You will learn how to:
- List existing secrets engines
- Enable a KV v1 engine at a custom path
- Verify the engine version
- Write, read, update, and delete secrets
- Format output as JSON and extract specific fields
- List secret keys
All examples assume you have the Vault CLI installed, authenticated, and are connected to your Vault server via SSH.
1. List Existing Secrets Engines
Inspect which secret engines are currently mounted:
Example output:
| Path | Type | Accessor | Description |
|---|
| cubbyhole/ | cubbyhole | cubbyhole_9c6c2ca2 | per-token private secret storage |
| identity/ | identity | identity_e55fbf01 | identity store |
| sys/ | system | system_ae43616e | control, policy, and debugging |
| transit/ | transit | transit_5bb3af5e | data encryption as a service |
No KV engine is enabled yet.
2. Enable KV v1 at a Custom Path
Enable a KV v1 engine at training/:
vault secrets enable -path=training kv
Success! Enabled the kv secrets engine at: training/
| Path | Type | Accessor | Description |
|---|
| training/ | kv | kv_11d31683 | n/a |
3. Verify the Engine Version
Check the detailed mount info to confirm KV v1 (no versioning):
vault secrets list --detailed
Options map (map[]):
Path Plugin Accessor Default TTL Max TTL Options Description
training/ kv kv_11d31683 n/a n/a map[] n/a
In KV v2, the options map includes "version":"2".
4. Write Secrets
Store a single key/value pair:
vault kv put training/apps/jenkins apikey=fkkj4ifkjwo2
Success! Data written to: training/apps/jenkins
5. Read Secrets
Retrieve the secret:
vault kv get training/apps/jenkins
Key Value
--- -----
apikey fkkj4ifkjwo2
6. Update Secrets
KV v1 always overwrites data. To update, write again:
vault kv put training/apps/jenkins user=vault-training-admin
vault kv get training/apps/jenkins
Key Value
---- ----------------------
user vault-training-admin
vault kv put training/apps/jenkins apikey=fkkj4ifkjwo2 user=vault-training-admin
vault kv get training/apps/jenkins
Key Value
--- ----------------------
apikey fkkj4ifkjwo2
user vault-training-admin
Output secret as JSON and parse with jq:
vault kv get -format=json training/apps/jenkins
{
"request_id": "…",
"lease_id": "",
"data": {
"apikey": "fkkj4ifkjwo2",
"user": "vault-training-admin"
}
}
vault kv get -format=json training/apps/jenkins | jq -r .data.apikey
vault kv get -format=json training/apps/jenkins | jq -r .data.user
Using JSON output is useful for automation and scripting.
8. Delete Secrets
Remove the secret at a given path:
vault kv delete training/apps/jenkins
vault kv get training/apps/jenkins
No value found at training/apps/jenkins
9. List Secret Keys
Re-create sample secrets:
vault kv put training/apps/jenkins abc=123
vault kv put training/apps/azuredevops user=administrator
training/:
List under training/apps/:
vault kv list training/apps/
Keys
----
azuredevops
jenkins
- Entries ending with
/ are subdirectories.
- Others are secret paths.
Summary Comparison: KV v1 vs. KV v2
| Feature | KV v1 | KV v2 |
|---|
| Versioning | No | Yes |
| Metadata & check-and-set | N/A | Supported |
| Path for data operations | kv put/get/delete | kv/data/... |
Options map (--detailed) | map[] | map[version:2] |
Links and References
