reading kv secrets the proper way

[kbuchsicf]

I have secrets in Vault which I populated with the CLI: vault kv put -tls-skip-verify "secret/directory/$client" token="$clientToken"

When using vault-ruby to read these secrets back from Vault, I end up having to parse the Table format response:

kvarr = Vault.logical.read('secret/directory/sampleclient').data[:token].split("\n") clienttoken = kvarr.select { |line| /^token */.match(line) }[0].split(/ */)[1]

Is there a cleaner way to do this, or is this suggesting the need for the addition of a new API in vault-ruby, like: Vault.logical.kvget('secret/directory/sampleclient', 'token')

[mschuchard]

Vault.logical.read('secret/directory/sampleclient').data[:token] returns the value $clientToken in kv version 1 (which it looks like you are using based on the lack of the :data key). That additional parsing seems due to a multiline string.

[kbuchsicf]

Thanks for helping me get back on track.

I was creating the clientToken via this vault command:
clientToken=$(vault token create -tls-skip-verify -display-name="${client}-level1" -orphan -policy="${client}-dir")

But, of course, that returns a table. So, I just needed to add "-field=token" to ensure I only get the token returned.

Thanks again!