HashiConf 2024 Now streaming live from Boston! Attend for free
Vault
Vault Home

Set max data versions in key/value v2

Limit the number of active versions for a kv v2 secret path so Vault permanently deletes (destroys) older data versions automatically.

Assumptions

Use vault kv metadata put to change the max number of versions allowed for a kv mount path: 

$ vault kv metadata put          \
   -max-versions <max_versions>  \
   -mount <mount_path>           \
   <secret_path>

For example: 

$ vault kv metadata put \
   -max-versions 5      \
   -mount shared        \
   dev/square-api

Success! Data written to: shared/metadata/dev/square-api

Vault now auto-deletes data when the number of versions exceeds 5:

$ vault kv metadata get -mount shared dev/square-api

======== Metadata Path ========
shared/metadata/dev/square-api

========== Metadata ==========
Key                     Value
---                     -----
cas_required            false
created_time            2024-11-13T21:51:50.898782695Z
current_version         4
custom_metadata         <nil>
delete_version_after    0s
max_versions            5
oldest_version          0
updated_time            2024-11-14T22:32:42.29534643Z

====== Version 1 ======
Key              Value
---              -----
created_time     2024-11-13T21:51:50.898782695Z
deletion_time    n/a
destroyed        false
Edit this page on GitHub