HashiConf 2024 Now streaming live from Boston! Attend for free
Vault
Vault Home

kv get

The kv get command retrieves the value from KV secrets engine at the given key name. If no key exists with that name, an error is returned. If a key exists with the name but has no data, nothing is returned.

Examples

Retrieve the data of the key "creds":

$ vault kv get -mount=secret creds
== Secret Path ==
secret/data/creds

======= Metadata =======
Key                Value
---                -----
created_time       2022-06-15T20:23:40.067093Z
custom_metadata    <nil>
deletion_time      n/a
destroyed          false
version            1

====== Data ======
Key         Value
---         -----
passcode    my-long-passcode

If KV version 1 secrets engine is enabled at "secret", the output has no metadata since there is no versioning information associated with the data:

$ vault kv get -mount=secret creds
====== Data ======
Key         Value
---         -----
passcode    my-long-passcode

Return only the "creds" "passcode" key:

$ vault kv get -mount=secret -field=passcode creds
my-long-passcode

Usage

Output options

  • -field (string: "") - Print only the field with the given name. Specifying this option will take precedence over other formatting directives. The result will not have a trailing newline making it ideal for piping to other processes.

  • -format (string: "table") - Print the output in the given format. Valid formats are "table", "json", or "yaml". This can also be specified via the VAULT_FORMAT environment variable.

Command options

  • -mount (string: "") - Specifies the path where the KV backend is mounted. If specified, the next argument will be interpreted as the secret path. If this flag is not specified, the next argument will be interpreted as the combined mount path and secret path, with /data/ automatically inserted for KV v2 secrets.

  • -version (int: 0) - Specifies the version to return. If not set the latest version is returned.

Edit this page on GitHub