From cb3e1bcf661ca5645adcdae1458776ade240acce Mon Sep 17 00:00:00 2001 From: Nora Date: Mon, 9 Sep 2019 13:19:15 -0700 Subject: [PATCH 01/12] Restructure files (addresses #434 ) --- content/v2.0/security/secrets/_index.md | 0 content/v2.0/security/secrets/storing-secrets-in-bolt.md | 0 2 files changed, 0 insertions(+), 0 deletions(-) create mode 100644 content/v2.0/security/secrets/_index.md create mode 100644 content/v2.0/security/secrets/storing-secrets-in-bolt.md diff --git a/content/v2.0/security/secrets/_index.md b/content/v2.0/security/secrets/_index.md new file mode 100644 index 000000000..e69de29bb diff --git a/content/v2.0/security/secrets/storing-secrets-in-bolt.md b/content/v2.0/security/secrets/storing-secrets-in-bolt.md new file mode 100644 index 000000000..e69de29bb From de1e9116b292485f062027310e1512247ac536be Mon Sep 17 00:00:00 2001 From: Kelly Date: Mon, 9 Sep 2019 14:36:58 -0700 Subject: [PATCH 02/12] enable the corrent version of KV engine (kv-v2) --- content/v2.0/security/use-vault.md | 26 ++++++++++++++++++++------ 1 file changed, 20 insertions(+), 6 deletions(-) diff --git a/content/v2.0/security/use-vault.md b/content/v2.0/security/use-vault.md index 5fc8bc3bd..c53651855 100644 --- a/content/v2.0/security/use-vault.md +++ b/content/v2.0/security/use-vault.md @@ -10,7 +10,7 @@ weight: 102 [Vault](https://www.vaultproject.io/) secures, stores, and tightly controls access to tokens, passwords, certificates, and other sensitive secrets. -Store sensitive secrets in Vault using the InfluxDB built-in Vault integration. +Store sensitive secrets in Vault using the InfluxDB built-in Vault integration. {{% note %}} When not using Vault, secrets are Base64-encoded and stored in the InfluxDB embedded key value store, @@ -18,7 +18,9 @@ When not using Vault, secrets are Base64-encoded and stored in the InfluxDB embe {{% /note %}} ## Start a Vault server + Start a Vault server and ensure InfluxDB has network access to the server. + The following links provide information about running Vault in both development and production: - [Install Vault](https://learn.hashicorp.com/vault/getting-started/install) @@ -32,10 +34,12 @@ vault server -dev ``` ## Define Vault environment variables + Use [Vault environment variables](https://www.vaultproject.io/docs/commands/index.html#environment-variables) to provide connection credentials and other important Vault-related information to InfluxDB. #### Required environment variables + - `VAULT_ADDR`: The API address of your Vault server _(provided in the Vault server output)_. - `VAULT_TOKEN`: The [Vault token](https://learn.hashicorp.com/vault/getting-started/authentication) required to access your Vault server. @@ -47,6 +51,7 @@ export VAULT_ADDR='http://127.0.0.1:8200' VAULT_TOKEN='s.0X0XxXXx0xXxXXxxxXxXxX0 ``` ## Start InfluxDB + Start the [`influxd` service](/v2.0/reference/cli/influxd/) with the `--secret-store` option set to `vault`. @@ -55,6 +60,7 @@ influxd --secret-store vault ``` ## Test Vault storage + With Vault and InfluxDB servers running, use the InfluxDB API to test Vault: {{% note %}} @@ -63,6 +69,7 @@ and `YOURAUTHTOKEN` with your [InfluxDB authentication token](/v2.0/security/tok {{% /note %}} ##### Retrieve an organization's secrets + ```sh curl --request GET \ --url http://localhost:9999/api/v2/orgs//secrets \ @@ -79,6 +86,7 @@ curl --request GET \ ``` ##### Add secrets to an organization + ```sh curl --request PATCH \ --url http://localhost:9999/api/v2/orgs//secrets \ @@ -93,6 +101,7 @@ curl --request PATCH \ ``` ##### Retrieve the added secrets + ```bash curl --request GET \ --url http://localhost:9999/api/v2/orgs//secrets \ @@ -112,12 +121,17 @@ curl --request GET \ ``` ## Vault secrets storage -For each organization, InfluxDB creates a [secrets engine](https://learn.hashicorp.com/vault/getting-started/secrets-engines) -using the following pattern: -``` -/secret/data/ -``` +For each organization, InfluxDB creates a [secrets engine](https://learn.hashicorp.com/vault/getting-started/secrets-engines) +using the following pattern: `/secret/data/` + +{{% note %}} +The InfluxDB API supports KV engine v2 only. +{{% /note %}} + +#### Enable KV engine v2 + +To pass the correct version of the KV engine when you enable a secrets engine, run the following command `vault secrets enable kv-v2`. Secrets are stored in Vault as key value pairs in their respective secrets engines. From 6c62e0ae3ec9a07f040b955596b6a767d066dcd2 Mon Sep 17 00:00:00 2001 From: kelseiv <47797004+kelseiv@users.noreply.github.com> Date: Mon, 9 Sep 2019 14:42:28 -0700 Subject: [PATCH 03/12] Update use-vault.md --- content/v2.0/security/use-vault.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/content/v2.0/security/use-vault.md b/content/v2.0/security/use-vault.md index c53651855..2db1f42a5 100644 --- a/content/v2.0/security/use-vault.md +++ b/content/v2.0/security/use-vault.md @@ -129,9 +129,9 @@ using the following pattern: `/secret/data/` The InfluxDB API supports KV engine v2 only. {{% /note %}} -#### Enable KV engine v2 +#### Enable KV secrets engine v2 -To pass the correct version of the KV engine when you enable a secrets engine, run the following command `vault secrets enable kv-v2`. +To pass the correct version of the KV secrets engine when you enable a secrets engine, run: `vault secrets enable kv-v2`. Secrets are stored in Vault as key value pairs in their respective secrets engines. From 5d0e638afeb7a8a599b20c780b753397e17cd85d Mon Sep 17 00:00:00 2001 From: Nora Date: Mon, 9 Sep 2019 14:43:42 -0700 Subject: [PATCH 04/12] Move vault doc --- content/v2.0/security/{ => secrets}/use-vault.md | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename content/v2.0/security/{ => secrets}/use-vault.md (100%) diff --git a/content/v2.0/security/use-vault.md b/content/v2.0/security/secrets/use-vault.md similarity index 100% rename from content/v2.0/security/use-vault.md rename to content/v2.0/security/secrets/use-vault.md From e802a19b929ef37acac9c954b1ff006812d3890a Mon Sep 17 00:00:00 2001 From: Nora Date: Mon, 9 Sep 2019 16:01:25 -0700 Subject: [PATCH 05/12] Add overview content to index page --- content/v2.0/security/secrets/_index.md | 14 ++++++++++++++ .../security/secrets/storing-secrets-in-bolt.md | 0 content/v2.0/security/secrets/use-vault.md | 6 +++--- 3 files changed, 17 insertions(+), 3 deletions(-) delete mode 100644 content/v2.0/security/secrets/storing-secrets-in-bolt.md diff --git a/content/v2.0/security/secrets/_index.md b/content/v2.0/security/secrets/_index.md index e69de29bb..030970e8f 100644 --- a/content/v2.0/security/secrets/_index.md +++ b/content/v2.0/security/secrets/_index.md @@ -0,0 +1,14 @@ +--- +title: Store secrets +description: +v2.0/tags: [secrets, security] +menu: + v2_0: + parent: Security & authorization +weight: 102 +--- + +There are two options for storing secrets with InfluxDB: + +- By default, secrets are Base64-encoded and stored in the InfluxDB embedded key value store, [BoltDB](https://github.com/boltdb/bolt). +- You can also set up Vault to store secrets. For details, see [Store secrets in Vault](/v2.0/security/secrets/use-vault). diff --git a/content/v2.0/security/secrets/storing-secrets-in-bolt.md b/content/v2.0/security/secrets/storing-secrets-in-bolt.md deleted file mode 100644 index e69de29bb..000000000 diff --git a/content/v2.0/security/secrets/use-vault.md b/content/v2.0/security/secrets/use-vault.md index 2db1f42a5..36b42b372 100644 --- a/content/v2.0/security/secrets/use-vault.md +++ b/content/v2.0/security/secrets/use-vault.md @@ -4,13 +4,13 @@ description: Manage authentication tokens in InfluxDB using the InfluxDB UI or t v2.0/tags: [tokens, security] menu: v2_0: - parent: Security & authorization -weight: 102 + parent: Store secrets +weight: 201 --- [Vault](https://www.vaultproject.io/) secures, stores, and tightly controls access to tokens, passwords, certificates, and other sensitive secrets. -Store sensitive secrets in Vault using the InfluxDB built-in Vault integration. +Store sensitive secrets in Vault using the InfluxDB built-in Vault integration. {{% note %}} When not using Vault, secrets are Base64-encoded and stored in the InfluxDB embedded key value store, From b95327d07b83dc66a638ce2b9d56868687e94574 Mon Sep 17 00:00:00 2001 From: Nora Date: Mon, 9 Sep 2019 16:06:59 -0700 Subject: [PATCH 06/12] Move API calls to manage doc --- .../v2.0/security/secrets/manage-secrets.md | 64 +++++++++++++++++++ content/v2.0/security/secrets/use-vault.md | 4 +- 2 files changed, 66 insertions(+), 2 deletions(-) create mode 100644 content/v2.0/security/secrets/manage-secrets.md diff --git a/content/v2.0/security/secrets/manage-secrets.md b/content/v2.0/security/secrets/manage-secrets.md new file mode 100644 index 000000000..053f69e45 --- /dev/null +++ b/content/v2.0/security/secrets/manage-secrets.md @@ -0,0 +1,64 @@ +--- +title: Manage secrets +description: Manage secrets in InfluxDB with the API. +v2.0/tags: [secrets, security] +menu: + v2_0: + parent: Store secrets +weight: 201 +--- + + +The following API calls allow you to manage secrets: + + +### Add secrets to an organization + +```sh +curl --request PATCH \ + --url http://localhost:9999/api/v2/orgs//secrets \ + --header 'authorization: Token YOURAUTHTOKEN' \ + --header 'content-type: application/json' \ + --data '{ + "foo": "bar", + "hello": "world" +}' + +# should return 204 no content +``` +### Retrieve an organization's secrets + +```sh +curl --request GET \ + --url http://localhost:9999/api/v2/orgs//secrets \ + --header 'authorization: Token YOURAUTHTOKEN' + +# should return +# { +# "links": { +# "org": "/api/v2/orgs/031c8cbefe101000", +# "secrets": "/api/v2/orgs/031c8cbefe101000/secrets" +# }, +# "secrets": [] +# } +``` + +### Retrieve the added secrets + +```bash +curl --request GET \ + --url http://localhost:9999/api/v2/orgs//secrets \ + --header 'authorization: Token YOURAUTHTOKEN' + +# should return +# { +# "links": { +# "org": "/api/v2/orgs/031c8cbefe101000", +# "secrets": "/api/v2/orgs/031c8cbefe101000/secrets" +# }, +# "secrets": [ +# "foo", +# "hello" +# ] +# } +``` diff --git a/content/v2.0/security/secrets/use-vault.md b/content/v2.0/security/secrets/use-vault.md index 36b42b372..7b6a74b60 100644 --- a/content/v2.0/security/secrets/use-vault.md +++ b/content/v2.0/security/secrets/use-vault.md @@ -1,7 +1,7 @@ --- title: Store secrets in Vault -description: Manage authentication tokens in InfluxDB using the InfluxDB UI or the influx CLI. -v2.0/tags: [tokens, security] +description: Manage secrets in InfluxDB using the InfluxDB UI or the influx CLI. +v2.0/tags: [secrets, security] menu: v2_0: parent: Store secrets From 049e7928b649542002df82ec04a8a32af6b77b2d Mon Sep 17 00:00:00 2001 From: Kelly Date: Mon, 9 Sep 2019 16:14:31 -0700 Subject: [PATCH 07/12] move note about kv-v2 up to install section --- content/v2.0/security/secrets/use-vault.md | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/content/v2.0/security/secrets/use-vault.md b/content/v2.0/security/secrets/use-vault.md index 7b6a74b60..e50ff4716 100644 --- a/content/v2.0/security/secrets/use-vault.md +++ b/content/v2.0/security/secrets/use-vault.md @@ -33,6 +33,14 @@ For this example, install Vault on your local machine and start a Vault dev serv vault server -dev ``` +{{% note %}} +The InfluxDB API supports KV engine v2 only. +{{% /note %}} + +#### Enable KV secrets engine v2 + +To pass the correct version of the KV secrets engine when you enable a secrets engine, run: `vault secrets enable kv-v2`. + ## Define Vault environment variables Use [Vault environment variables](https://www.vaultproject.io/docs/commands/index.html#environment-variables) @@ -125,14 +133,6 @@ curl --request GET \ For each organization, InfluxDB creates a [secrets engine](https://learn.hashicorp.com/vault/getting-started/secrets-engines) using the following pattern: `/secret/data/` -{{% note %}} -The InfluxDB API supports KV engine v2 only. -{{% /note %}} - -#### Enable KV secrets engine v2 - -To pass the correct version of the KV secrets engine when you enable a secrets engine, run: `vault secrets enable kv-v2`. - Secrets are stored in Vault as key value pairs in their respective secrets engines. ``` From 9123ee349b996b52c902b4963fdcd780c5b8fc2e Mon Sep 17 00:00:00 2001 From: Kelly Date: Mon, 9 Sep 2019 16:21:01 -0700 Subject: [PATCH 08/12] add note to enable kv-v2 -secrets storage section --- content/v2.0/security/secrets/use-vault.md | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/content/v2.0/security/secrets/use-vault.md b/content/v2.0/security/secrets/use-vault.md index e50ff4716..dd2fdc65a 100644 --- a/content/v2.0/security/secrets/use-vault.md +++ b/content/v2.0/security/secrets/use-vault.md @@ -37,10 +37,6 @@ vault server -dev The InfluxDB API supports KV engine v2 only. {{% /note %}} -#### Enable KV secrets engine v2 - -To pass the correct version of the KV secrets engine when you enable a secrets engine, run: `vault secrets enable kv-v2`. - ## Define Vault environment variables Use [Vault environment variables](https://www.vaultproject.io/docs/commands/index.html#environment-variables) @@ -133,8 +129,11 @@ curl --request GET \ For each organization, InfluxDB creates a [secrets engine](https://learn.hashicorp.com/vault/getting-started/secrets-engines) using the following pattern: `/secret/data/` -Secrets are stored in Vault as key value pairs in their respective secrets engines. +{{% note %}} +When you create a secrets engine, enable the `kv-v2` version by running: `vault secrets enable kv-v2`. +{{% /note %}} +Secrets are stored in Vault as key value pairs in their respective secrets engines. ``` /secret/data/031c8cbefe101000 -> this_key: foo From 043fe36db7eb3ec1e20d701a17d4a10fe22f240a Mon Sep 17 00:00:00 2001 From: Scott Anderson Date: Mon, 9 Sep 2019 17:54:39 -0600 Subject: [PATCH 09/12] added example api calls and queries to the manage secrets doc --- .../v2.0/security/secrets/manage-secrets.md | 87 ++++++++++--------- 1 file changed, 46 insertions(+), 41 deletions(-) diff --git a/content/v2.0/security/secrets/manage-secrets.md b/content/v2.0/security/secrets/manage-secrets.md index 053f69e45..17826985f 100644 --- a/content/v2.0/security/secrets/manage-secrets.md +++ b/content/v2.0/security/secrets/manage-secrets.md @@ -1,6 +1,6 @@ --- title: Manage secrets -description: Manage secrets in InfluxDB with the API. +description: Manage secrets in InfluxDB with the InfluxDB API. v2.0/tags: [secrets, security] menu: v2_0: @@ -9,56 +9,61 @@ weight: 201 --- -The following API calls allow you to manage secrets: +Manage secrets using the InfluxDB `/org/{orgID}/secrets` API endpoint. +All secrets belong to an organization and are stored in your [secret-store](/v2.0/security/secrets/). +Include your [organization ID](/v2.0/organizations/view-orgs/#view-your-organization-id) +and [authentication token](/v2.0/security/tokens/view-tokens/) with each request. - -### Add secrets to an organization +### Add a secret +Use the `PATCH` request method to add a new secret to your organization. +Pass the secret key-value pair in the request body. ```sh -curl --request PATCH \ - --url http://localhost:9999/api/v2/orgs//secrets \ - --header 'authorization: Token YOURAUTHTOKEN' \ - --header 'content-type: application/json' \ +curl -XPATCH http://localhost:9999/api/v2/orgs//secrets \ + -H 'authorization: Token YOURAUTHTOKEN' \ + -H 'Content-type: application/json' \ --data '{ - "foo": "bar", - "hello": "world" + "": "" }' - -# should return 204 no content ``` -### Retrieve an organization's secrets + +### View secret keys +Use the `GET` request method to view your organization's secrets keys. ```sh -curl --request GET \ - --url http://localhost:9999/api/v2/orgs//secrets \ - --header 'authorization: Token YOURAUTHTOKEN' - -# should return -# { -# "links": { -# "org": "/api/v2/orgs/031c8cbefe101000", -# "secrets": "/api/v2/orgs/031c8cbefe101000/secrets" -# }, -# "secrets": [] -# } +curl -XGET http://localhost:9999/api/v2/orgs//secrets \ + -H 'authorization: Token YOURAUTHTOKEN' ``` -### Retrieve the added secrets +### Delete a secret +Use the `POST` request method and the `orgs/{orgID}/secrets/delete` API endpoint +to delete one or more secrets. +Include an array of secret keys to delete in the requests body in the following format. ```bash -curl --request GET \ - --url http://localhost:9999/api/v2/orgs//secrets \ - --header 'authorization: Token YOURAUTHTOKEN' - -# should return -# { -# "links": { -# "org": "/api/v2/orgs/031c8cbefe101000", -# "secrets": "/api/v2/orgs/031c8cbefe101000/secrets" -# }, -# "secrets": [ -# "foo", -# "hello" -# ] -# } +curl -XGET http://localhost:9999/api/v2/orgs//secrets/delete \ + --H 'authorization: Token YOURAUTHTOKEN' + --data '{ + "secrets": [ + "" + ] +}' +``` + +## Use secrets in a query +Import the `influxdata/influxd/secrets` package and use the `secrets.get()` function +to populate sensitive data in queries with secrets from your secret store. + +```js +import "influxdata/influxdb/secrets" +import "sql" + +username = secrets.get(key: "POSTGRES_USERNAME") +password = secrets.get(key: "POSTGRES_PASSWORD") + +sql.from( + driverName: "postgres", + dataSourceName: "postgresql://${username}:${password}@localhost", + query:"SELECT * FROM example-table" +) ``` From 27c64405c360cf118e30dc3e139fd2e7c6024bfb Mon Sep 17 00:00:00 2001 From: Nora Date: Mon, 9 Sep 2019 17:07:58 -0700 Subject: [PATCH 10/12] Updated index page --- content/v2.0/security/secrets/_index.md | 24 +++++++++++++++++++++++- 1 file changed, 23 insertions(+), 1 deletion(-) diff --git a/content/v2.0/security/secrets/_index.md b/content/v2.0/security/secrets/_index.md index 030970e8f..4e34bc970 100644 --- a/content/v2.0/security/secrets/_index.md +++ b/content/v2.0/security/secrets/_index.md @@ -1,5 +1,5 @@ --- -title: Store secrets +title: Store and view secrets description: v2.0/tags: [secrets, security] menu: @@ -12,3 +12,25 @@ There are two options for storing secrets with InfluxDB: - By default, secrets are Base64-encoded and stored in the InfluxDB embedded key value store, [BoltDB](https://github.com/boltdb/bolt). - You can also set up Vault to store secrets. For details, see [Store secrets in Vault](/v2.0/security/secrets/use-vault). + +## Use secrets in a query +Import the `influxdata/influxd/secrets` package and use the `secrets.get()` function +to populate sensitive data in queries with secrets from your secret store. + +```js +import "influxdata/influxdb/secrets" +import "sql" + +username = secrets.get(key: "POSTGRES_USERNAME") +password = secrets.get(key: "POSTGRES_PASSWORD") + +sql.from( + driverName: "postgres", + dataSourceName: "postgresql://${username}:${password}@localhost", + query:"SELECT * FROM example-table" +) +``` + +## Add, list, and delete secrets + +See [Manage secrets](/v2.0/security/secrets/manage-secrets). From 96d7e8ae749b8f33c6480856489c5507725e194e Mon Sep 17 00:00:00 2001 From: Scott Anderson Date: Mon, 9 Sep 2019 18:10:39 -0600 Subject: [PATCH 11/12] minor updates to the secrets doc --- content/v2.0/security/secrets/_index.md | 2 +- content/v2.0/security/secrets/manage-secrets.md | 2 +- content/v2.0/security/secrets/use-vault.md | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/content/v2.0/security/secrets/_index.md b/content/v2.0/security/secrets/_index.md index 4e34bc970..dba43f9a8 100644 --- a/content/v2.0/security/secrets/_index.md +++ b/content/v2.0/security/secrets/_index.md @@ -1,5 +1,5 @@ --- -title: Store and view secrets +title: Store and use secrets description: v2.0/tags: [secrets, security] menu: diff --git a/content/v2.0/security/secrets/manage-secrets.md b/content/v2.0/security/secrets/manage-secrets.md index 17826985f..9b4054267 100644 --- a/content/v2.0/security/secrets/manage-secrets.md +++ b/content/v2.0/security/secrets/manage-secrets.md @@ -4,7 +4,7 @@ description: Manage secrets in InfluxDB with the InfluxDB API. v2.0/tags: [secrets, security] menu: v2_0: - parent: Store secrets + parent: Store and use secrets weight: 201 --- diff --git a/content/v2.0/security/secrets/use-vault.md b/content/v2.0/security/secrets/use-vault.md index dd2fdc65a..a6a9197d7 100644 --- a/content/v2.0/security/secrets/use-vault.md +++ b/content/v2.0/security/secrets/use-vault.md @@ -4,7 +4,7 @@ description: Manage secrets in InfluxDB using the InfluxDB UI or the influx CLI. v2.0/tags: [secrets, security] menu: v2_0: - parent: Store secrets + parent: Store and use secrets weight: 201 --- From 302623c8d9818400b833025525a5ad7772747456 Mon Sep 17 00:00:00 2001 From: Scott Anderson Date: Mon, 9 Sep 2019 18:16:01 -0600 Subject: [PATCH 12/12] updated vault doc --- content/v2.0/security/secrets/use-vault.md | 96 ++-------------------- 1 file changed, 9 insertions(+), 87 deletions(-) diff --git a/content/v2.0/security/secrets/use-vault.md b/content/v2.0/security/secrets/use-vault.md index a6a9197d7..6302787f0 100644 --- a/content/v2.0/security/secrets/use-vault.md +++ b/content/v2.0/security/secrets/use-vault.md @@ -12,11 +12,6 @@ weight: 201 to tokens, passwords, certificates, and other sensitive secrets. Store sensitive secrets in Vault using the InfluxDB built-in Vault integration. -{{% note %}} -When not using Vault, secrets are Base64-encoded and stored in the InfluxDB embedded key value store, -[BoltDB](https://github.com/boltdb/bolt). -{{% /note %}} - ## Start a Vault server Start a Vault server and ensure InfluxDB has network access to the server. @@ -27,16 +22,21 @@ The following links provide information about running Vault in both development - [Start a Vault dev server](https://learn.hashicorp.com/vault/getting-started/dev-server) - [Deploy Vault](https://learn.hashicorp.com/vault/getting-started/deploy) +{{% note %}} +InfluxDB supports the [Vault KV Secrets Engine Version 2 API](https://www.vaultproject.io/api/secret/kv/kv-v2.html) only. +When you create a secrets engine, enable the `kv-v2` version by running: + +```js +vault secrets enable kv-v2 +``` +{{% /note %}} + For this example, install Vault on your local machine and start a Vault dev server. ```sh vault server -dev ``` -{{% note %}} -The InfluxDB API supports KV engine v2 only. -{{% /note %}} - ## Define Vault environment variables Use [Vault environment variables](https://www.vaultproject.io/docs/commands/index.html#environment-variables) @@ -62,81 +62,3 @@ option set to `vault`. ```bash influxd --secret-store vault ``` - -## Test Vault storage - -With Vault and InfluxDB servers running, use the InfluxDB API to test Vault: - -{{% note %}} -Replace `` with your [organization ID](/v2.0/organizations/view-orgs/#view-your-organization-id) -and `YOURAUTHTOKEN` with your [InfluxDB authentication token](/v2.0/security/tokens/). -{{% /note %}} - -##### Retrieve an organization's secrets - -```sh -curl --request GET \ - --url http://localhost:9999/api/v2/orgs//secrets \ - --header 'authorization: Token YOURAUTHTOKEN' - -# should return -# { -# "links": { -# "org": "/api/v2/orgs/031c8cbefe101000", -# "secrets": "/api/v2/orgs/031c8cbefe101000/secrets" -# }, -# "secrets": [] -# } -``` - -##### Add secrets to an organization - -```sh -curl --request PATCH \ - --url http://localhost:9999/api/v2/orgs//secrets \ - --header 'authorization: Token YOURAUTHTOKEN' \ - --header 'content-type: application/json' \ - --data '{ - "foo": "bar", - "hello": "world" -}' - -# should return 204 no content -``` - -##### Retrieve the added secrets - -```bash -curl --request GET \ - --url http://localhost:9999/api/v2/orgs//secrets \ - --header 'authorization: Token YOURAUTHTOKEN' - -# should return -# { -# "links": { -# "org": "/api/v2/orgs/031c8cbefe101000", -# "secrets": "/api/v2/orgs/031c8cbefe101000/secrets" -# }, -# "secrets": [ -# "foo", -# "hello" -# ] -# } -``` - -## Vault secrets storage - -For each organization, InfluxDB creates a [secrets engine](https://learn.hashicorp.com/vault/getting-started/secrets-engines) -using the following pattern: `/secret/data/` - -{{% note %}} -When you create a secrets engine, enable the `kv-v2` version by running: `vault secrets enable kv-v2`. -{{% /note %}} - -Secrets are stored in Vault as key value pairs in their respective secrets engines. -``` -/secret/data/031c8cbefe101000 -> - this_key: foo - that_key: bar - a_secret: key -```