This assumes you are familiar with the Python hvac client. If not, check out my article Hashicorp Vault - Getting Started with Python hvac.

This assumes the following has already been done.

• Hashicorp Vault has been installed
• Hashicorp Vault has been initialized
• Hashicorp Vault has been unsealed
• The secrets engine has been enabled

You can either:

• delete a secret (this article)
• destroy a secret

Let's say the secrets engine has been enabled with -path=secret/

~]# vault secrets enable -path=secret/ kv
Success! Enabled the kv secrets engine at: secret/

And let's say approle has been enabled and there is a role named "my-role" and contains a policy named "my-policy".

~]$ vault read auth/approle/role/my-role
Key                        Value
---                        -----
policies                   [my-policy]

In this example, since the secrets engine has been enabled with -path=secret/ the policy path will need to begin with secret/

Let's say "my-policy" permits the following capabilities to "secret/my_path/*".

~]$ vault policy read my-policy
path "secret/my_path/*" {
  capabilities = ["create", "delete", "list", "patch", "read", "update"]
}

Before deleting a secret, you may want to first:

• list secrets using Python hvac to get the list of secrets
• list keys in a secret using Python hvac to get the latest version of the secret

In this scenario, you would first use approle login with the role ID and secret ID for my-role and then use client.secrets.kv.v2.delete_latest_version_of_secret to delete the latest version of the secret.

• mount_path='my_path' is used here since my-policy has secret/my_path/*
• path='my_secret' is used to delete the latest version of the secret named my_secret at secret/my_path/my_secret

Check out my article Hashicorp Vault - Error Handling using Python hvac for details on how to include Error Handling.

#!/usr/bin/python3
import hvac

client = hvac.Client(url='http://vault.example.com:8200')

client.auth.approle.login(
  role_id="b4a68549-1464-7aac-b0cd-d22954985aa8",
  secret_id="6039e2e2-6017-8db9-2e1b-dd6bd449f901"
)

list_secrets = client.secrets.kv.v2.list_secrets(
  mount_point='my_path',
  path=''
)

print(f"list_secrets = {list_secrets}")

read_secret_version = client.secrets.kv.v2.read_secret_version(
  mount_path='my_path'
  path='my_secret'
)

print(f"attempting to delete version {read_secret_version['data']['metadata']['version']} of my_secret")

result = client.secrets.kv.v2.delete_latest_version_of_secret(
  mount_path='my_path',
  path='my_secret'
)

print(f"result = {result}")

client.logout()

Or, delete_secret_versions can be used to delete one or more versions of a secret. 

delete_secret = client.secrets.kv.v2.delete_secret_versions(
  mount_path='my_path',
  path='my_secret',
  versions=[1,2,3]
)

If the secret is successfully delete, response code 204 should be returned, thus you can do something like this based on the response code.

delete_secret = client.secrets.kv.v2.delete_latest_version_of_secret(
  mount_path='my_path',
  path='my_secret'
)

if delete_secret.status_code == 204:
  print(f"secret was successfully deleted")
else:
  print(f"expected status code 204 but instead got {delete_secret.status_code}")