how to retrieve old versions of keys using spring-cloud-vault?

Question

I'm using spring-cloud-vault to retrieve the versioned kv from the vault server. When I'm using the environemnt.getSecret("key1") then it returns only the latest versions of key for example world2. Is there any way to retrieve the old versions of secrets by specifying the version number for a given key using spring-cloud-vault library?

#vault kv put secret/my-app key1=world1
Key              Value
---              -----
created_time     2018-09-20T12:00:19.6136263Z
deletion_time    n/a
destroyed        false
version          1

#vault kv put secret/my-app key1=world2
Key              Value
---              -----
created_time     2018-09-20T12:00:27.1820524Z
deletion_time    n/a
destroyed        false
version          2

Thanks for your help.

Answer 1

Spring Cloud Vault supports as of release 2.0 the versioned Key-Value API (key-value backend v2). There are two differences to the non-versioned Key-Value API (key-value backend v1):

1. The versioned Key-Value backend uses a different API. In particular, HTTP paths and the JSON payload are slightly different.
2. The versioned Key-Value backend is able to store multiple versions.

With Spring Cloud Vault, only the first aspect, differences in the API, were considered (see the related GitHub ticket for further details).

Spring Cloud Vault does not use the versioning aspect (i.e. reading an older secret version) but rather reads the latest secret version. I filed a ticket for using Vault's versioning features with configuration properties/the Environment. That ticket should be a good place to start a discussion about how such an integration could look like and how it could make the most sense.