Feature Request: Hide soft deleted secret from Vault UI

[agaudreault]

Is your feature request related to a problem? Please describe.
After using vault for some time, we are having more and more secrets that we don't need anymore. So we delete the latest version of the secrets. However, the secret still show up in the UI and it is getting harder to navigate everyday.

Describe the solution you'd like
It would be nice to have a setting that could be enabled by a user to hide the secrets where the latest version is deleted from the UI. This setting could be turned off in case the user needs to search a secret that has been deleted and undelete it.

An even simpler solution could be to split the List in two. The main one for the secrets, and one at the bottom for the soft deleted secrets.

Describe alternatives you've considered
Instead of a general user setting, it could be a new operation that could be done on a secret to hide it or not from the UI. The hide operation could be triggered from the UI or the API, and the unhide only from the API. Of course, this needs more changes since it affects the API and not only the UI and might not be the best approach.

Additional context
We understand that secrets and metadata can be destroyed so it does not show up in the UI anymore, but that would remove the ability to undelete a secret and the only way we could retrieve it would be to restore a backup. For this reason, we do not give users the permission to destroy a secret.

I am referring to the Secret Engine K/V version 2.

[hellobontempo]

Hi @agaudreault-jive - thank you for the feature request! I want to make sure I'm understanding correctly, do you want to hide secrets from the main list view of the secret engine? For example, if secret one has the latest version deleted, it would not appear in this list if there was a Hide deleted toggle (or something) set to true?

[agaudreault]

@hellobontempo exactly :)

[maxb]

I have also encountered this issue... since soft-deleting secrets doesn't actually remove them from the list view, there is an incentive for humans to want to force a metadata delete to clean up the listing, even when there's a good case for keeping deleted secrets around for a while in case of potential rollback.

At the API level, one possible way to deal with this would be expose a new subpath in the KVv2 API - it would mirror the existing /metadata/ path, but only list secrets with a non-deleted current version.

[jxenos]

Specifically if there was API access for this it would be massively beneficial. Using the python hvac library or the API to list secrets in vault will list soft deleted secrets. Then the only way to filter them out is to loop over the list and get info for each secret when I only want to hide deleted secrets. This feels excessive.

Side note, but if I could get metadata on a list call, that would be pretty awesome too.