Skip to content

Vault transit does not return creation timestamp for hmac key #31656

New issue
New issue
Open
Open
Vault transit does not return creation timestamp for hmac key#31656
Labels
enhancementsecret/transit
@dstdfx

Description

@dstdfx
dstdfx
opened on Nov 24, 2025

Describe the bug
When I'm fetching a transit key details via vault read or API directly, there's no info when a certain version of the key was created.
For example, for aes256-gcm96 it's returned in data.keys as a map of <version>:<unix_timestamp>, example from docs.
I wonder if it would be possible to introduce it for a hmac key as well as it simplifies debugging.

Response example:

vault read -format=json transit/keys/test-key
{
  "request_id": "893ab392-724e-d1b2-05d1-768d823da01f",
  "lease_id": "",
  "lease_duration": 0,
  "renewable": false,
  "data": {
    "allow_plaintext_backup": false,
    "auto_rotate_period": 3600,
    "deletion_allowed": false,
    "derived": false,
    "exportable": true,
    "imported_key": false,
    "key_size": 32,
    "latest_version": 3,
    "min_available_version": 0,
    "min_decryption_version": 1,
    "min_encryption_version": 0,
    "name": "test-key",
    "supports_decryption": false,
    "supports_derivation": false,
    "supports_encryption": false,
    "supports_signing": false,
    "type": "hmac"
  },
  "warnings": null,
  "mount_type": "transit"
}

To Reproduce
Steps to reproduce the behavior:

  1. Run vault secrets enable transit to enable transit secret engine
  2. Run vault write -f transit/keys/test-key exportable=true type=hmac key_size=32 auto_rotate_period="1h" to create a hmac key
  3. Run vault write -f transit/keys/test-key/rotate to rotate the key
  4. Run vault read -format=json transit/keys/test-key to read the keys

Expected behavior
A map of versions/unix-timestamps (.data.keys) is returned when reading a transit key details, similarly as for other key types:
https://developer.hashicorp.com/vault/api-docs/secret/transit#sample-response-1

Environment:

  • Vault Server Version (retrieve with vault status):
Key             Value
---             -----
Seal Type       shamir
Initialized     true
Sealed          false
Total Shares    1
Threshold       1
Version         1.21.1
Build Date      2025-11-18T13:04:32Z
Storage Type    inmem
Cluster Name    vault-cluster-775a74a8
Cluster ID      d7bc840a-1437-cc0a-2906-cf6ba4ef2790
HA Enabled      false
  • Vault CLI Version (retrieve with vault version):
Vault v1.21.1 (2453aac2638a6ae243341b4e0657fd8aea1cbf18), built 2025-11-18T13:04:32Z

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementsecret/transit

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions