This assumes you are familiar with the Python hvac client. If not, check out my article Hashicorp Vault - Getting Started with Python hvac.

This assumes the following has already been done.

• Hashicorp Vault has been installed
• Hashicorp Vault has been initialized
• Hashicorp Vault has been unsealed
• The secrets engine has been enabled

Let's say the secrets engine has been enabled with -path=secret/

~]# vault secrets enable -path=secret/ kv
Success! Enabled the kv secrets engine at: secret/

And let's say approle has been enabled and there is a role named "my-role" and contains a policy named "my-policy".

~]$ vault read auth/approle/role/my-role
Key                        Value
---                        -----
policies                   [my-policy]

In this example, since the secrets engine has been enabled with -path=secret/ the policy path will need to begin with secret/

Let's say "my-policy" permits the following capabilities to "secret/my_path/*".

~]$ vault policy read my-policy
path "secret/my_path/*" {
  capabilities = ["create", "delete", "list", "patch", "read", "update"]
}

read_secret_metadata can be used to return all versions of a secret.

#!/usr/bin/python3
import hvac

client = hvac.Client(url='http://vault.example.com:8200')

client.auth.approle.login(
  role_id="b4a68549-1464-7aac-b0cd-d22954985aa8",
  secret_id="6039e2e2-6017-8db9-2e1b-dd6bd449f901"
)

list_secrets = client.secrets.kv.v2.read_secret_metadata(
  mount_point='my_path',
  path=''
)

print(f"list_secrets = {list_secrets}")

client.logout()

Something like this should be returned. Notice in this example

• version 1 has been deleted and destroyed
• version 2 has been deleted but not destroyed
• version 3 has not been deleted or destroyed

{
  'request_id': '34f2cb66-853e-d69a-6232-b2019b139c38',
  'lease_id': '',
  'renewable': False,
  'lease_duration': 0,
  'data': {
    'cas_required': False,
    'created_time': '2024-03-21T08:31:48.115790111Z',
    'current_version': 2,
    'custom_metadata': None,
    'delete_version_after': '0s',
    'max_versions': 0,
    'oldest_version': 0,
    'updated_time': '2024-06-04T04:58:20.451509858Z',
    'versions': {
      '1': {
        'created_time': '2024-01-21T08:31:48.115790111Z',
        'deletion_time': '2024-02-21T08:34:32.936446412Z',
        'destroyed': True},
      '2': {
        'created_time': '2024-03-21T08:31:48.115790111Z',
        'deletion_time': '2024-03-21T08:34:32.936446412Z',
        'destroyed': False},
      '3': {
        'created_time': '2024-06-04T04:58:20.451509858Z',
        'deletion_time': '',
        'destroyed': False}
      }
    },
   'wrap_info': None,
   'warnings': None,
   'auth': None,
   'mount_type': 'kv'
}

undelete_secret_versions can be used to undelete one or more versions of a secret that has been deleted but not destroyed.

#!/usr/bin/python3
import hvac

client = hvac.Client(url='http://vault.example.com:8200')

client.auth.approle.login(
  role_id="b4a68549-1464-7aac-b0cd-d22954985aa8",
  secret_id="6039e2e2-6017-8db9-2e1b-dd6bd449f901"
)

list_secrets = client.secrets.kv.v2.undelete_secret_versions(
  mount_point='my_path',
  path='my_secret',
  versions=[2]
)

client.logout()