This assumes you are familiar with the Python hvac client. If not, check out my article Hashicorp Vault - Getting Started with Python hvac.

This assumes the following has already been done.

• Hashicorp Vault has been installed
• Hashicorp Vault has been initialized
• Hashicorp Vault has been unsealed

Let's say the secrets engine has been enabled with -path=secret/

~]# vault secrets enable -path=secret/ kv
Success! Enabled the kv secrets engine at: secret/

And let's say approle has been enabled and there is a role named "my-role" and contains a policy named "my-policy".

~]$ vault read auth/approle/role/my-role
Key                        Value
---                        -----
policies                   [my-policy]

In this example, since the secrets engine has been enabled with -path=secret/ the policy path will need to begin with secret/

Let's say "my-policy" permits the following capabilities to "secret/my_path/*".

~]$ vault policy read my-policy
path "secret/my_path/*" {
  capabilities = ["create", "delete", "list", "patch", "read", "update"]
}

In this scenario, you would first use approle login with the role ID and secret ID for my-role and then use client.secrets.kv.v2.list_secrets to list the secrets at secret/my_path/.

• mount_path='my_path' is used here since my-policy has secret/my_path/*
• path='' is used to list all of the secrets in secret/my_path/

Check out my article Hashicorp Vault - Error Handling using Python hvac for details on how to include Error Handling.

#!/usr/bin/python3
import hvac

client = hvac.Client(url='http://vault.example.com:8200')

client.auth.approle.login(
  role_id="b4a68549-1464-7aac-b0cd-d22954985aa8",
  secret_id="6039e2e2-6017-8db9-2e1b-dd6bd449f901"
)

list_secrets = client.secrets.kv.v1.list_secrets(
  mount_point='my_path',
  path=''
)

print(f"list_secrets = {list_secrets}")

client.logout()

Something like this should be returned. In this example, there are two secrets in my_path, my_first_secret and my_second_secret.

{
  'request_id': 'd0e769b7-7c2b-c0b0-3606-033ba351461f', 
  'lease_id': '', 
  'renewable': False, 
  'lease_duration': 0, 
  'data': {
    'keys': [
      'my_first_secret', 
      'my_second_secret'
    ]
  }, 
  'wrap_info': None, 
  'warnings': None, 
  'auth': None
}

Then client.secrets.kv.v2.read_secret_version can be used to list the keys (and values) in a secret.

• mount_path='my_path' is used here since my-policy has secret/my_path/*
• path='my_first_secret' is used to get the keys and values of my_secret at secret/my_path/my_first_secret

response = client.secrets.kv.v2.read_secret_version(
  mount_path='my_path'
  path='my_first_secret',
  raise_on_deleted_version=False
)

print(response)

Something like this should be returned. In this example, my_first_secret contains two key/value pairs, foo: hello and bar: world.

{
  'request_id': '9a951153-a408-5d12-e3fc-a9449da14e7e', 
  'lease_id': '', 
  'renewable': False, 
  'lease_duration': 0, 
  'data': {
    'data': {
      'foo': 'hello', 
      'bar': 'world'
    }, 
    'metadata': {
      'created_time': '2024-03-20T11:48:08.69342151Z', 
      'custom_metadata': None, 
      'deletion_time': '', 
      'destroyed': False, 
      'version': 18
    }
  }, 
  'wrap_info': None, 
  'warnings': None, 
  'auth': None
}

Each time you update a secret, by default, a new version of the secret is created. If you do not include version, then the latest version of the secret will be returned. Here is how you can get a specific version of the secret.

response = client.secrets.kv.v2.read_secret_version(
  mount_path='my_path'
  path='my_first_secret',
  version=2,
  raise_on_deleted_version=False
)