vault kv list: List Keys in a KV Path
vault kv list MOUNT/PATH lists the secret names directly under a KV path (not their values).
When a job iterates over secrets or just checks what exists, kv list enumerates the child keys. On KV v2 it hits the metadata API under the hood, so the path rules differ from v1.
What it does
vault kv list returns the keys stored at a KV path. Names ending in / are sub-paths you can list further. It lists keys only; it never returns secret values. On KV v2 it queries the metadata/ endpoint automatically when you give the logical path.
Common usage
vault kv list secret/
vault kv list secret/ci/
# JSON for scripting
vault kv list -format=json secret/ci | jq -r '.[]'Options
| Flag | What it does |
|---|---|
| -mount=<name> | Specify the KV mount explicitly (KV v2) |
| -format=json | Output the key list as JSON |
| -detailed | Include extra response metadata (newer CLIs) |
Common errors in CI
"No value found at secret/metadata/ci" (a 404) means the path is empty or you listed a leaf secret instead of a folder; list the parent path. "permission denied" means the policy lacks the list capability on the path. On KV v2, listing secret/data/ci directly fails; use the logical path secret/ci and let the CLI map it to metadata/.