Feature request : Read secret keys (without content )

[stephdep]

Due to security rights, we would need a method that can read the present secret keys without retrieving the actual secret content. We have currently implemented this functionality outside the library, but would prefer to have it in the library.

Hereby our code ` public const string VaultSubKeysPath = "/v1/secret/subkeys/";

    private async Task<IList<string>> ReadAllKeys(string path)
    {
        _logger.LogDebug("Reading all Vault keys under {VaultPath}", path);
        var requestUri = new Uri(VaultConstants.VaultSubKeysPath + path, UriKind.Relative);
        var httpRequestMessage = new HttpRequestMessage(HttpMethod.Get, requestUri);
        httpRequestMessage.Headers.Add(VaultConstants.VaultRequestHeaderKey, "true");
        httpRequestMessage.Headers.Add(VaultConstants.VaultTokenHeaderKey, _options.Token);
        var httpResponseMessage = await _httpClient.SendAsync(httpRequestMessage);

        if (httpResponseMessage.IsSuccessStatusCode)
        {
            var responseText = await httpResponseMessage.Content.ReadAsStringAsync();
            if (!string.IsNullOrWhiteSpace(responseText))
            {
                var vaultResponse = JsonConvert.DeserializeObject<VaultResponse>(responseText);
                if (vaultResponse != null)
                    return vaultResponse.Data.Subkeys.Keys.ToList();
            }
            return new List<string>();
        }
        if (httpResponseMessage.StatusCode == HttpStatusCode.NotFound) // When the path in Vault is not present yet.
        {
            return new List<string>();
        }

        _logger.LogError("Error reading Vault keys under {VaultPath}, statusCode: {StatusCode}", path, httpResponseMessage.StatusCode);
        throw new Exception($"Error reading Vault keys under {path}");
    }

`

[konidev20]

Hey @stephdep,

Have you tried the ReadSecretPathsAsync API from IKeyValueSecretsEngineV2.

        /// <summary>
        /// Retrieves the secret location path entries at the specified location.
        /// Folders are suffixed with /. The input must be a folder; list on a file will not return a value. 
        /// The values themselves are not accessible via this API.
        /// </summary>
        /// <param name="path"><para>[required]</para>
        /// The location path where the secret needs to be read from.</param>
        /// <param name="mountPoint"><para>[optional]</para>
        /// The mount point for the Generic backend. Defaults to <see cref="SecretsEngineMountPoints.KeyValueV2" />
        /// Provide a value only if you have customized the mount point.</param>
        /// <param name="wrapTimeToLive">
        /// <para>[required]</para>
        /// The TTL for the token and can be either an integer number of seconds or a string duration of seconds.
        /// </param>
        /// <returns>
        /// The secret list with the data.
        /// </returns>
        Task<Secret<ListInfo>> ReadSecretPathsAsync(string path, string mountPoint = null, string wrapTimeToLive = null);

I believe this API is also available in IKeyValueSecretsEngineV1.

Let me know if this was your requirement.

Thanks & Regards, @konidev20

[konidev20]

@stephdep I think I got what your requirement is after reading the Vault documentation.

This is the API you want in the library right? https://www.vaultproject.io/api-docs/secret/kv/kv-v2#read-secret-subkeys

[stephdep]

Exactly ! Retrieving the keys without the secrets.

[konidev20]

Hey @stephdep,

You can review the pull request I've raised for this request. I have followed the API documentation. You can pull the branch and test out the API to see if it satisfies your request.

[rajanadar]

thanks @konidev20 for the PR. Made some subtle changes. Also, this is a Vault 1.10.0 feature. So, i'll release it after a 1.7 version sweep.

[stephdep]

Thanks !

[rajanadar]

Available here: https://www.nuget.org/packages/VaultSharp/1.7.2