hashicorp · schavis · Nov 28, 2024 · Nov 26, 2024 · Nov 27, 2024 · Nov 27, 2024
@@ -15,8 +15,10 @@ an existing data path in the `kv` v2 plugin.
 - You have [set up a `kv` v2 plugin](/vault/docs/secrets/kv/kv-v2/setup). 
 - Your authentication token has appropriate permissions for the `kv` v2 plugin:
    - **`patch`** permission to make direct updates with `PATCH` actions.
-   - **`create`**+**`update`** permission to make indirect updates by combining
-     `GET` and `POST` actions.
+   - **`create`**+**`update`** permission if you want to make indirect
+      updates with the Vault CLI by combining `GET` and `POST` actions.
+- You know the keys or [subkeys](/vault/docs/secrets/kv/kv-v2/cookbook/read-subkey)
+  you want to patch.
 
 </Tip>
 
@@ -25,7 +27,7 @@ an existing data path in the `kv` v2 plugin.
 
 <Tab heading="CLI" group="cli">
 
-Use the [`vault kv patch`](/vault/docs/command/kv/patch) command and set the
+Use the [`vault kv patch`](/vault/docs/commands/kv/patch) command and set the
 `-cas` flag to the expected data version to perform a check-and-set operation
 before applying the patch:
 
@@ -43,7 +45,11 @@ For example:
 <CodeBlockConfig hideClipboard="true">
 
 ```shell-session
-$ vault kv patch -cas 2 -mount shared dev/square-api prod=5678
+$ vault kv patch  \
+  -cas 2          \
+  -mount shared   \
+  dev/square-api  \
+  prod=5678
 
 ======= Secret Path =======
 shared/data/dev/square-api

@@ -0,0 +1,117 @@
+---
+layout: docs
+page_title: Read subkeys
+description: >-
+   Read the available subkeys on a given path from the kv v2 plugin
+---
+
+# Read subkeys for a key/value data path
+
+Read the available subkeys on an existing data path in the `kv` v2 plugin.
+
+<Tip title="Assumptions">
+
+- You have [set up a `kv` v2 plugin](/vault/docs/secrets/kv/kv-v2/setup). 
+- Your authentication token has `read` permissions for subkeys on the target
+  secret path.
+
+</Tip>
+
+<Tabs>
+
+<Tab heading="CLI" group="cli">
+
+Use `vault read` with the `/subkeys` metadata path retrieve a list of available
+subkeys on the given path. 
+
+```shell-session
+$ vault read <mount_path>/subkeys/<secret_path>
+```
+
+Vault retrieves secrets at the given path but replaces the underlying values of
+non-map keys and map keys with no underlying subkeys (leaf keys) with `nil`.
+
+For example:
+
+<CodeBlockConfig hideClipboard="true">
+
+```shell-session
+$ vault read shared/subkeys/dev/square-api
+
+Key         Value
+---         -----
+metadata    map[created_time:2024-11-20T20:00:13.385182722Z custom_metadata:<nil> deletion_time: destroyed:false version:1]
+subkeys     map[prod:<nil> sandbox:<nil> smoke:<nil>]
+```
+
+</CodeBlockConfig>
+
+</Tab>
+
+<Tab heading="GUI" group="gui">
+
+@include 'gui-page-instructions/select-kv-mount.mdx'
+
+- Click through the path segments to select the relevant secret path.
+- Note the subkeys listed on the data page.
+
+![Partial screenshot of the Vault GUI showing two key/value pairs at the path dev/square-api. The "prod" key is visible](/img/gui/kv/read-data.png)
+
+</Tab>
+
+<Tab heading="API" group="api">
+
+Call the [`/{plugin_mount_path}/subkeys/{secret_path}`](/vault/api-docs/secret/kv/kv-v2#read-secret-subkeys)
+endpoint to fetch a list of available subkeys on the given path:
+
+```shell-session
+$ curl                                       \
+   --request GET                             \
+   --header "X-Vault-Token: ${VAULT_TOKEN}"  \
+   ${VAULT_ADDR}/v1/<plugin_mount_path>/subkeys/<secret_path>
+```
+
+Vault retrieves secrets at the given path but replaces the underlying values of
+non-map keys and map keys with no underlying subkeys (leaf keys) with `null`.
+
+For example:
+
+<CodeBlockConfig hideClipboard="true">
+
+```shell-session
+$ curl                                       \
+   --request GET                             \
+   --header "X-Vault-Token: ${VAULT_TOKEN}"  \
+   ${VAULT_ADDR}/v1/shared/subkeys/dev/square-api | jq
+
+{
+  "request_id": "bfeac3c5-f4dc-37b2-8909-3b15121cfd20",
+  "lease_id": "",
+  "renewable": false,
+  "lease_duration": 0,
+  "data": {
+    "metadata": {
+      "created_time": "2024-11-20T20:00:13.385182722Z",
+      "custom_metadata": null,
+      "deletion_time": "",
+      "destroyed": false,
+      "version": 11
+    },
+    "subkeys": {
+      "prod": null,
+      "sandbox": null,
+      "smoke": null
+    }
+  },
+  "wrap_info": null,
+  "warnings": null,
+  "auth": null,
+  "mount_type": "kv"
+}
+```
+
+</CodeBlockConfig>
+
+</Tab>
+
+</Tabs>
@@ -1606,6 +1606,10 @@
                     "title": "Read data",
                     "path": "secrets/kv/kv-v2/cookbook/read-data"
                   },
+                  {
+                    "title": "Read subkeys",
+                    "path": "secrets/kv/kv-v2/cookbook/read-subkey"
+                  },
                   {
                     "title": "Set max data versions",
                     "path": "secrets/kv/kv-v2/cookbook/max-versions"