Skip to content
Latchkey

vault kv patch: Update KV Secrets In Place

vault kv patch updates or adds individual fields of a KV v2 secret while preserving the fields you do not mention.

Where kv put replaces the whole secret, kv patch merges. It is the safe way for a pipeline to update one field (say, rotate a single token) without clobbering the rest of the secret.

What it does

vault kv patch reads the current KV v2 secret, merges your key=value pairs into it, and writes a new version. By default it uses an HTTP PATCH; with -method=rw it falls back to a read-then-write. It only works on KV v2.

Common usage

Terminal
vault kv patch secret/ci/db password=newpass
# read-then-write fallback if PATCH is unavailable
vault kv patch -method=rw secret/ci/db api_key=abc123

Options

FlagWhat it does
-method=patch|rwUse HTTP PATCH (default) or read-then-write
-cas=<n>Check-and-set: only patch if current version is n
-mount=<name>Specify the KV v2 mount explicitly

Common errors in CI

"Code: 405. Errors: 1 error occurred: * unsupported operation" means the server or mount does not support PATCH; add -method=rw. "permission denied" means the policy lacks the patch capability (PATCH needs it explicitly, separate from update). "check-and-set parameter required" means the mount has cas_required set; pass -cas with the current version.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →