2026-04-16 19:49:22 +00:00
2 changed files with 11 additions and 6 deletions
--- a/lib/hvault.sh
+++ b/lib/hvault.sh
@ -100,6 +100,11 @@ _hvault_request() {
 # ── Public API ───────────────────────────────────────────────────────────────
 # VAULT_KV_MOUNT — KV v2 mount point (default: "kv")
 #   Override with: export VAULT_KV_MOUNT=secret
 #   Used by: hvault_kv_get, hvault_kv_put, hvault_kv_list
 : "${VAULT_KV_MOUNT:=kv}"
 # hvault_kv_get PATH [KEY]
 #   Read a KV v2 secret at PATH, optionally extract a single KEY.
 #   Outputs: JSON value (full data object, or single key value)
@ -114,7 +119,7 @@ hvault_kv_get() {
  _hvault_check_prereqs "hvault_kv_get" || return 1
  local response
-  response="$(_hvault_request GET "secret/data/${path}")" || return 1
+  response="$(_hvault_request GET "${VAULT_KV_MOUNT}/data/${path}")" || return 1
  if [ -n "$key" ]; then
    printf '%s' "$response" | jq -e -r --arg key "$key" '.data.data[$key]' 2>/dev/null || {
@ -154,7 +159,7 @@ hvault_kv_put() {
    payload="$(printf '%s' "$payload" | jq --arg k "$k" --arg v "$v" '.data[$k] = $v')"
  done
-  _hvault_request POST "secret/data/${path}" "$payload" >/dev/null
+  _hvault_request POST "${VAULT_KV_MOUNT}/data/${path}" "$payload" >/dev/null
 }
 # hvault_kv_list PATH
@ -170,7 +175,7 @@ hvault_kv_list() {
  _hvault_check_prereqs "hvault_kv_list" || return 1
  local response
-  response="$(_hvault_request LIST "secret/metadata/${path}")" || return 1
+  response="$(_hvault_request LIST "${VAULT_KV_MOUNT}/metadata/${path}")" || return 1
  printf '%s' "$response" | jq -e '.data.keys' 2>/dev/null || {
    _hvault_err "hvault_kv_list" "failed to parse response" "path=$path"
--- a/tests/lib-hvault.bats
+++ b/tests/lib-hvault.bats
@ -126,7 +126,7 @@ setup() {
@test "hvault_policy_apply creates a policy" {
  local pfile="${BATS_TEST_TMPDIR}/test-policy.hcl"
  cat > "$pfile" <<'HCL'
-path "secret/data/test/*" {
+path "kv/data/test/*" {
  capabilities = ["read"]
 }
 HCL
@ -138,12 +138,12 @@ HCL
  run curl -sf -H "X-Vault-Token: ${VAULT_TOKEN}" \
    "${VAULT_ADDR}/v1/sys/policies/acl/test-reader"
  [ "$status" -eq 0 ]
-  echo "$output" | jq -e '.data.policy' | grep -q "secret/data/test"
+  echo "$output" | jq -e '.data.policy' | grep -q "kv/data/test"
 }
@test "hvault_policy_apply is idempotent" {
  local pfile="${BATS_TEST_TMPDIR}/idem-policy.hcl"
-  printf 'path "secret/*" { capabilities = ["list"] }\n' > "$pfile"
+  printf 'path "kv/*" { capabilities = ["list"] }\n' > "$pfile"
  run hvault_policy_apply "idem-policy" "$pfile"
  [ "$status" -eq 0 ]