KV Secret Engine Operations

# Enable KV v2 at a path
vault secrets enable -path=secret kv-v2

# Configure max versions
vault write secret/config max_versions=10

# Check engine status
vault secrets list
vault read secret/config

# Store a secret (creates or updates)
vault kv put secret/myapp/database \
  host="db.example.com" \
  port="5432" \
  username="app_user" \
  password="s3cur3_p@ss"

# Read entire secret
vault kv get secret/myapp/database

# Read specific field
vault kv get -field=password secret/myapp/database

# Read as JSON
vault kv get -format=json secret/myapp/database

# Read specific version
vault kv get -version=2 secret/myapp/database

# Store from file
vault kv put secret/myapp/tls cert=@cert.pem key=@key.pem

# Store from stdin
echo -n '{"api_key":"abc123"}' | vault kv put secret/myapp/external -

# View version history
vault kv metadata get secret/myapp/database

# Add custom metadata
vault kv metadata put -custom-metadata=owner="platform-team" \
  -custom-metadata=rotation="90d" \
  secret/myapp/database

# Soft delete a version (can be undeleted)
vault kv delete -versions=3 secret/myapp/database

# Undelete
vault kv undelete -versions=3 secret/myapp/database

# Permanently destroy a version
vault kv destroy -versions=1,2 secret/myapp/database

# Delete all versions and metadata
vault kv metadata delete secret/myapp/database

# Enable CAS (prevent accidental overwrites)
vault kv metadata put -cas-required=true secret/myapp/database

# Write with CAS (must match current version)
vault kv put -cas=5 secret/myapp/database password="new_pass"
# Fails if current version is not 5

# CAS=0 means create only (fail if exists)
vault kv put -cas=0 secret/myapp/new-service api_key="key123"

# List secrets at a path
vault kv list secret/myapp/
vault kv list secret/

# Recursive listing (not built-in, use API)
vault kv list -format=json secret/ | jq -r '.[]'