VladRassokhin
commented
5 years ago Generally speaking 'secret' backend may be mount on any arbitrary path. Also plugin should not rely on some additional permissions (like reading sys/mounts). That's why KV2 is supported the way it's supported.
On HashiConf I've asked Vault developers to support some extension http header in responses with KV version, though hadn't succeed to push such idea.
In https://github.com/JetBrains/teamcity-hashicorp-vault-plugin/issues/11 was the comment - "Unfortunately it's unclear how do that automatically since secret backend could be mounted anywhere" Actually, it is not a very comfortable to update manually hundreds parameter variables which use values from Vault (secret/test -> secret/data/test) in case of migration from KV to KV v2.
However, I guess that it is possible to get a secret backend name from a secret path - the first word (e.g. secret/test -> secret/) and then use such request: "curl --header "X-Vault-Token: "/v1/sys/mounts"
for checking a version of secret backend. The Vault ACL rule is required for this:
path "sys/mounts" {
policy = "read"
}
I'd like to pay your attention that secret backend v1 can be have two possible types:
"kv"
"generic".
It makes migration process (KV -> KVv2) much more easier in case the plugin will be able to identify KV version on the fly