Expand description
KV mount enumeration and tree listing.
This command queries the Vault API to automatically discover and enumerate all KV secret mounts (both v1 and v2) and recursively lists their contents in a hierarchical tree structure.
§Features
- Automatic Discovery: Discovers all KV mounts without needing to know mount names
- Version Detection: Automatically detects and handles both KV v1 and KV v2 mounts
- Depth Control: Optional depth parameter to control traversal (unlimited by default)
- Multiple Output Formats: CSV (flattened with depth), JSON (nested tree), or stdout (visual tree)
§Usage Examples
# List all KV mounts with unlimited depth (default)
vault-audit kv-mounts --format stdout
# List only the mounts themselves (no traversal)
vault-audit kv-mounts --depth 0 --format csv
# List mounts and traverse 2 levels deep
vault-audit kv-mounts --depth 2 --format json
# Save full tree to CSV file
vault-audit kv-mounts --format csv --output kv-inventory.csv§Output Formats
- CSV: Flattened paths with depth column, one row per path/secret
- JSON: Nested tree structure with parent-child relationships
- stdout: Visual tree with Unicode box-drawing characters (├──, └──, │)
§Depth Parameter
--depth 0: Show only mount points (no traversal)--depth 1: Show mounts + first level folders/secrets--depth 2: Show mounts + two levels of traversal- No flag: Unlimited depth (discovers entire tree structure)
§API Endpoints Used
/v1/sys/mounts- Discover all secret mounts/v1/{mount}/metadata/{path}- List KV v2 paths (using LIST method)/v1/{mount}/{path}- List KV v1 paths (using LIST method)
Functions§
- run
- Run the KV mount enumeration command