HashiConf 2024 Now streaming live from Boston! Attend for free
Vault
Vault Home

secrets move

The secrets move command moves an existing secrets engine to a new path. Any leases from the old secrets engine are revoked, but all configuration associated with the engine is preserved. The command can be issued for a move within or across namespaces, using namespace prefixes in the arguments.

The command will trigger a remount operation and uses the returned migration ID to poll the status of the operation until a terminal state of success or failure is reached.

Moving an existing secrets engine will revoke any leases from the old engine.

Examples

Move the existing secrets engine at ns1/secret/ to ns2/kv/:

$ vault secrets move ns1/secret/ ns2/kv/

Move the existing secrets in team-vault to the vault-edu/ namespace.

$ vault secrets move team-vault \
    vault-edu/team-vault

Usage

There are no flags beyond the standard set of flags included on all commands.

Post-move considerations

Each namespace has its own policies, auth methods, secrets engines, tokens, identity entities and groups. You must consider the following after moving a mount across namespaces:

  • Necessary policies exist in the target namespace
  • Entities and groups might need updating after an auth mount migration
Edit this page on GitHub