HCP Vault Secrets: get, create and delete secrets via API

Avatar
Trifo Tsantsarov
  • Updated

Introduction

HashiCorp Cloud Platform (HCP) Vault Secrets is a secrets lifecycle management solution to centralize your secrets and enable your applications to access them from their workflow.

The clients (systems or users) can interact with HCP Vault Secrets using the command-line interface (CLI), HCP Portal, or API.

 

You can read more about the product here:

https://www.hashicorp.com/blog/announcing-hcp-vault-secrets-public-beta

https://developer.hashicorp.com/hcp/docs/vault-secrets

 

In this article, we'll provide a few simple examples of how you can get, create and delete secrets via the API using the curl command.

 

Prerequisites

1. curl

2. HCP Service Principle credentials (Client ID and Client secret)

3. Once you have the Client ID and Client secret, you can export them as environment variables and also include the HCP Vault Secrets application name:

export HCP_CLIENT_ID=<Your HCP Service Principle Client ID>
export HCP_CLIENT_SECRET=<Your HCP Service Principle Client secret>

4. We need to export a few more environment variables:

export HCP_ORG_ID=<Your HCP Org ID>
export HCP_PROJ_ID=<Your HCP Project ID>
export VLT_APPS_NAME=<Your HCP Vault Secrets Apps name>

You can retrieve Your HCP Org ID and Your HCP Project ID by visiting the HCP Portal and clicking on the project that holds your HCP Vault Secrets App.

These will be available as part of the URL in the address bar of your browser, similar to a format like this:

 https://portal.cloud.hashicorp.com/orgs/Your-HCP-Org-ID/projects/Your-HCP-Project-ID

5. HCP API Token, which you can obtain and set as an environment variable by running:

HCP_API_TOKEN=$(curl --location 'https://auth.hashicorp.com/oauth/token' --header 'content-type: application/json' --data '{"audience": "https://api.hashicorp.cloud", "grant_type": "client_credentials", "client_id": "'$HCP_CLIENT_ID'", "client_secret": "'$HCP_CLIENT_SECRET'"}' | jq -r .access_token)

 

Procedure

GET

To get a secret from the HCP Vault Secrets via API, run:

curl \
--silent \
--header "Authorization: Bearer $HCP_API_TOKEN" \
--header "Content-Type: application/json" \
--location "https://api.cloud.hashicorp.com/secrets/2023-06-13/organizations/$HCP_ORG_ID/projects/$HCP_PROJ_ID/apps/$VLT_APPS_NAME/open/my_secret_name" | jq

Important: Replace my_secret_name with your actual secret name. Currently, you can only get the latest version of the secret.

 

CREATE

To create a secret from the HCP Vault Secrets via API, run:

curl \
--request POST \
--location "https://api.cloud.hashicorp.com/secrets/2023-06-13/organizations/$HCP_ORG_ID/projects/$HCP_PROJ_ID/apps/$VLT_APPS_NAME/kv" \
--header "Authorization: Bearer $HCP_API_TOKEN" \
--header "Content-Type: application/json" \
--data-raw '{
"name": "my_secret_name",
"value": "my_secret_value"
}'

Important: Replace my_secret_name and my_secret_value with your desired secret values. If a secret with the same name exists, you'll create a new version of it.

 

DELETE

To delete a secret from the HCP Vault Secrets via API, run:

curl \
--request DELETE \
--location "https://api.cloud.hashicorp.com/secrets/2023-06-13/organizations/$HCP_ORG_ID/projects/$HCP_PROJ_ID/apps/$VLT_APPS_NAME/secrets/my_secret_name" \
--header "Authorization: Bearer $HCP_API_TOKEN"

Important: Replace my_secret_name with the actual name of the secret you are looking to delete. You cannot delete a single version of a secret, you delete the container (all versions).

 

Additional Information

HCP Vault Secrets is still in beta and you can try it for free today.

Articles in this section

See more

Related articles