Secret Paths Reference¶
Complete reference for all secret paths stored in Vault. Use this when onboarding a new application or looking up where credentials are stored.
Path Convention¶
All application secrets follow this pattern:
For application-level secrets without an environment context (e.g., SonarQube admin creds):
Quick Reference Table¶
| Application | Path | Fields |
|---|---|---|
| Authentik DB | secret/cwiq/shared/authentik/database |
pg_host, pg_user, pg_password, pg_name, pg_port |
| Authentik Config | secret/cwiq/shared/authentik/config |
secret_key |
| GitLab OIDC | secret/cwiq/shared/gitlab/oidc |
client_id, client_secret |
| Taiga DB | secret/cwiq/shared/taiga/database |
postgres_password, secret_key |
| Icinga DB | secret/cwiq/shared/icinga/database |
Various DB passwords |
| SonarQube Admin | secret/sonarqube/admin |
username, token, url |
| SonarQube CI Token | secret/sonarqube/svc-orchestrator |
token, url |
| DefectDojo Admin | secret/defectdojo/admin |
username, password |
| DefectDojo CI Token | secret/defectdojo/svc-orchestrator |
token, url |
| Identity DB Admin | secret/identity-db/admin |
pg_superuser_password |
| Identity DB Roles | secret/identity-db/dev/roles |
mydb_nss_password, mydb_pam_password, mydb_provision_password |
| Nexus CI/CD | secret/nexus/svc-orchestrator |
username, password |
| Nexus Admin | secret/nexus/admin |
username, password |
| Grafana Admin | secret/grafana/admin |
username, password |
| Icinga Admin | secret/icinga/admin |
username, password |
| OpenLDAP Admin | secret/cwiq/shared/openldap/admin |
username, password, base_dn, url |
| Slack Webhooks | secret/slack/webhooks |
shared, dev |
| Orchestrator E2E | secret/orchestrator/e2e-test-user |
username, password |
Retrieving Secrets¶
Retrieve all fields¶
Retrieve a single field (for scripts)¶
Retrieve as JSON (for jq parsing)¶
Export multiple fields as environment variables¶
eval $(vault kv get -format=json secret/cwiq/shared/authentik/database | \
jq -r '.data.data | to_entries[] | "export \(.key | ascii_upcase)=\(.value)"')
# Now: $PG_HOST, $PG_PASSWORD, $PG_USER, etc.
Storing a New Secret¶
When deploying a new application, follow this pattern:
# Admin/root credentials
vault kv put secret/<app-name>/admin \
username=admin \
password=<generated-password>
# CI/CD service account token
vault kv put secret/<app-name>/svc-orchestrator \
token=<token> \
url=https://<app-name>.shared.cwiq.io
After storing:
1. Update vault-server/docs/02-cli-operations.md — add rows to the Common Secret Paths Reference table.
2. Report the admin username, password, and access URL to the team.
Version History¶
KV v2 stores 10 versions per secret. Access previous versions when needed:
# View all versions
vault kv metadata get secret/cwiq/shared/authentik/database
# Get a specific version
vault kv get -version=2 secret/cwiq/shared/authentik/database
# Roll back to a previous version
vault kv rollback -version=2 secret/cwiq/shared/authentik/database
Listing Secrets¶
# List top-level paths
vault kv list secret/
# List paths under cwiq/shared/
vault kv list secret/cwiq/shared/
Deleting Secrets¶
# Soft delete (recoverable)
vault kv delete secret/cwiq/dev/app/database
# Recover a soft-deleted version
vault kv undelete -versions=3 secret/cwiq/dev/app/database
# Hard delete a specific version (permanent)
vault kv destroy -versions=3 secret/cwiq/dev/app/database
# Delete all versions and metadata (permanent)
vault kv metadata delete secret/cwiq/dev/app/database
Related Documentation¶
- Vault Architecture
- AppRole & JWT Auth
- Vault Agent Sidecar
- Operations & Emergency
- Source:
ansible-playbooks/vault-server/docs/02-cli-operations.md