Introduction
When using the KV v2 secrets engine in Vault; in some cases, attempting to rollback a secret to a previous version fails with the error:Cannot roll back to a version that has been deleted
(even though the target version is not deleted).
Observed Behavior
-
The secret version has a valid
deletion_time
as time later than current time. -
The secret version is not destroyed.
-
Despite this, rollback to that version fails.
Cause
The rollback operation treats a secret version as deleted if the secret's metadata was written before creating the actual secret, i.e., setting delete-version-after
before the first key-value pair was created.
Secret metadata and secret values are created together. However, if the metadata such as delete-version-after
is configured before writing the specific version of the secret, the rollback operation interprets the version's state based on comparing metadata creation timestamp.
Workaround
Currently, there is no alternative to this behaviour. While this behaviour may or not change in upcoming versions based on feasibility, it is advisable to add/modify delete-version-after metadata after initially creating the secret to achieve rollback capability on specific version.
Reference