Restore soft deleted key/value data

[!IMPORTANT]
Documentation Update: Product documentation, which were located in this repository under /website, are now located in hashicorp/web-unified-docs, colocated with all other product documentation. Contributions to this content should be done in the web-unified-docs repo, and not this one. Changes made to /website content in this repo will not be reflected on the developer.hashicorp.com website.

You can restore data from soft deletes in the kv v2 plugin as long as the destroyed metadata field for the targeted version is false.

Assumptions

You have set up a kv v2 plugin.
Your authentication token has create and update permissions for the kv v2 plugin.

Use vault kv undelete with the -versions flag to restore soft deleted version of key/value data:

$ vault kv undelete             \
   -mount <mount_path>          \
   -versions <target_versions>  \
   <secret_path>

For example:

$ vault kv undelete -mount shared -versions 1,4 dev/square-api

Success! Data deleted (if it existed) at: shared/data/dev/square-api

The deletion_time metadata field for versions 1 and 4 is now n/a:

$ vault kv metadata get -mount shared dev/square-api

======== Metadata Path ========
shared/metadata/dev/square-api

========== Metadata ==========
Key                     Value
---                     -----
cas_required            false
created_time            2024-11-13T21:51:50.898782695Z
current_version         4
custom_metadata         <nil>
delete_version_after    0s
max_versions            5
oldest_version          0
updated_time            2024-11-14T22:32:42.29534643Z

====== Version 1 ======
Key              Value
---              -----
created_time     2024-11-13T21:51:50.898782695Z
deletion_time    n/a
destroyed        false

...

====== Version 4 ======
Key              Value
---              -----
created_time     2024-11-14T22:32:42.29534643Z
deletion_time    n/a
destroyed        false

Open the Overview screen for your secret path:
1. Open the GUI for your Vault instance.
2. Login under the namespace for the plugin or select the namespace from the selector at the bottom of the left-hand menu and re-authenticate.
3. Select Secrets Engines from the left-hand menu.
4. Select the mount path for your kv plugin.
5. Click through the path segments to select the relevant secret path.

Select the Secret tab.
Select the appropriate data version from the Version dropdown.
Click Undelete.

Partial screenshot of the Vault GUI showing the deleted version message

Make a POST call to /{plugin_mount_path}/undelete/{secret_path} with the data versions you want to restore:

$ curl                                       \
   --request POST                            \
   --header "X-Vault-Token: ${VAULT_TOKEN}"  \
   --data '{"versions":[<target_versions>]}  \
   ${VAULT_ADDR}/v1/<plugin_mount_path>/undelete/<secret_path>

For example:

$ curl                                       \
    --request POST                           \
    --header "X-Vault-Token: ${VAULT_TOKEN}" \
    --data '{"versions":[5,8]}'              \
    ${VAULT_ADDR}/v1/shared/undelete/dev/square-api | jq