vault kv patch: Update KV Secrets In Place
vault kv patch updates or adds individual fields of a KV v2 secret while preserving the fields you do not mention.
Where kv put replaces the whole secret, kv patch merges. It is the safe way for a pipeline to update one field (say, rotate a single token) without clobbering the rest of the secret.
What it does
vault kv patch reads the current KV v2 secret, merges your key=value pairs into it, and writes a new version. By default it uses an HTTP PATCH; with -method=rw it falls back to a read-then-write. It only works on KV v2.
Common usage
vault kv patch secret/ci/db password=newpass
# read-then-write fallback if PATCH is unavailable
vault kv patch -method=rw secret/ci/db api_key=abc123Options
| Flag | What it does |
|---|---|
| -method=patch|rw | Use HTTP PATCH (default) or read-then-write |
| -cas=<n> | Check-and-set: only patch if current version is n |
| -mount=<name> | Specify the KV v2 mount explicitly |
Common errors in CI
"Code: 405. Errors: 1 error occurred: * unsupported operation" means the server or mount does not support PATCH; add -method=rw. "permission denied" means the policy lacks the patch capability (PATCH needs it explicitly, separate from update). "check-and-set parameter required" means the mount has cas_required set; pass -cas with the current version.