No way to check if a secret path exists

[grantdlr]

I need to programatically verify if a path exists before writing a secret to it. a simple read to check the path throws and exception "path doesn't exist"

[viralpoetry]

@grantdlr what exactly are you trying to achieve? "Paths" does not exist in vault until you write something there, they are only defined with the ACLs / policies.
You can only check if some mount point is available, or what rights you have with token on some path (issue #335)

[jeffwecan]

I'm with @viralpoetry on this issue. That said, would having an optional parameter (or something similar) on the implicated methods that would toggle returning None instead of raising an exception help solve your concern @grantdlr?

[grantdlr]

@jeffwecan that would absolutely solve my concern. I've been able to get around this using a try catch block. was just looking for a nicer way to ensure that I'm not overwriting existing secrets.

[jeffwecan]

I've had the same concern from time to time! I'll queue this issue up for the next release and see if we can get something sorted...

[jeffwecan]

Oh and to be clear, is your particular use case tied to KV v1, v2, or just a general secrets engines concern?

[grantdlr]

its the same for KV1 and KV2 but currently using KV2

[netson]

I'm with @viralpoetry on this issue. That said, would having an optional parameter (or something similar) on the implicated methods that would toggle returning None instead of raising an exception help solve your concern @grantdlr?

Wouldn't it be better to use a construct such as below instead? After this, you can either use patch() or create_or_update_secret() to update the secret. Creating the path is obviously not required and depends on your use case, but returning None instead of an exception may create confusion as to whether the value is None, or the value doesn't exist.

# see if the path exists
try:
    data = client.secrets.kv.v2.read_secret_version(
        path='your/path/here',
    )

# if not, it will throw an exception
except hvac.exceptions.InvalidPath:
    client.secrets.kv.v2.create_or_update_secret(
        path='your/path/here',
        secret=dict(pssst=None),
    )
    pass

[briantist]

I have to agree that this is a bit outside the library's control. Vault returns a 404, and so that is the exception we raise. We recently made a change to optionally not raise an exception for a specific type of 404 (see also: #955) but that is a different case since that 404 returns useful data with it.

404 is an appropriate response for a path that doesn't exist. I recommend using the try/catch method above.