vault_secret

Manage Vault KV v1/v2 secrets statefully.

Added in version 1.2.0.

Important

This module requires the general Vault setup.

saltext.vault.states.vault_secret.present(name, values, sync=False)

Ensure a secret is present as specified. Does not report a diff.

name

The path of the secret.

values

A mapping of values the secret should expose.

sync

Ensure the secret only exposes values and delete unspecified ones. Defaults to false, which results in patching (merging over) existing data and deleting keys that are set to None/null. For details, see https://datatracker.ietf.org/doc/html/draft-ietf-appsawg-json-merge-patch-07

saltext.vault.states.vault_secret.absent(name, operation='delete')

Ensure a secret is absent. This operates only on the most recent version for delete/destroy. Currently does not destroy/wipe a secret that has been made unreadable in some other way.

name

The path of the secret.

operation

The operation to perform to remove the secret. Only relevant for KV v2. Options are: delete (meaning: soft-delete), destroy (meaning delete unrecoverably) and wipe (forget about the secret completely). Defaults to delete. KV v1 secrets are always wiped since the backend does not support versioning.