Open-Source Wikis

/

Vault

/

Reference

/

Data models

hashicorp/vault

Data models

The most important persistent data shapes inside Vault. These are the structures that travel from Go code to the storage barrier; understanding them is essential for reading code that touches storage, replication, or audit.

Mount entry

vault/mount.go::MountEntry. Persisted under core/mounts, core/auth, core/audit.

type MountEntry struct {
    Table       string         // "mounts" | "auth" | "audit"
    Path        string         // "secret/", "auth/userpass/", ...
    Type        string         // "kv", "userpass", "file", ...
    Description string
    Config      MountConfig
    Local       bool           // local-only, never replicated
    SealWrap    bool           // wrap critical paths in seal
    ExternalEntropyAccess bool
    Tainted     bool           // marked for unmount
    Options     map[string]string
    UUID        string         // unique ID; used for storage view prefix
    BackendAwareUUID string
    Accessor    string         // human-friendly handle for ACL/audit
    NamespaceID string
    Version     string         // plugin version pin
    RunningVersion string
    PluginVersion  string
    PluginRunningVersion string
    PluginCatalogVersion string
    SHA256      string         // plugin hash
}

Token entry

vault/token_store.go::TokenEntry. Persisted under sys/token/<id> and indexed by accessor under sys/token/accessor/<accessor>.

type TokenEntry struct {
    Type             logical.TokenType  // service | batch
    ID               string
    ExternalID       string
    Accessor         string
    Parent           string
    Policies         []string
    Path             string             // mount that issued
    Meta             map[string]string
    DisplayName      string
    NumUses          int
    CreationTime     int64
    TTL              time.Duration
    ExplicitMaxTTL   time.Duration
    Role             string
    Period           time.Duration
    EntityID         string
    NoIdentityPolicies bool
    BoundCIDRs       []*sockaddr.SockAddrMarshaler
    NamespaceID      string
    CubbyholeID      string
    InternalMeta     map[string]string
}

Lease entry

vault/expiration.go::leaseEntry. Persisted under sys/expire/id/<lease_id> (encoded).

type leaseEntry struct {
    LeaseID         string
    ClientToken     string
    Path            string
    Data            map[string]any
    Secret          *logical.Secret
    Auth            *logical.Auth
    IssueTime       time.Time
    ExpireTime      time.Time
    LastRenewalTime time.Time
    Version         int                // schema version
    namespace       *namespace.Namespace
    LoginRole       string
    ClientTokenType logical.TokenType
}

Policy

vault/policy.go::Policy. Persisted under sys/policy/<namespace>/<name> (with separate trees for ACL, RGP, EGP).

type Policy struct {
    Name      string
    Paths     []*PathRules
    Raw       string             // original HCL text
    Type      PolicyType         // ACL | RGP | EGP
    Templated bool
    namespace *namespace.Namespace
}

type PathRules struct {
    Path                string
    Policy              string                   // legacy "policy=read"
    Permissions         *ACLPermissions
    IsPrefix            bool
    HasSegmentWildcards bool
    Capabilities        []string
    MFAMethods          []string
    ControlGroup        *ControlGroup
}

Identity entity

helper/identity/types.proto::Entity. Persisted under entity/buckets/<bucket-id> (sharded by entity ID hash).

message Entity {
  repeated Alias aliases = 1;
  string id = 2;
  string name = 3;
  map<string,string> metadata = 4;
  int64 creation_time = 5;
  int64 last_update_time = 6;
  repeated string merged_entity_ids = 7;
  repeated string policies = 8;
  string bucket_key = 9;
  string mfa_secrets = 10;
  bool disabled = 11;
  string namespace_id = 12;
}

The protobuf-defined types are shared with replication so primary and secondary clusters can serialize identity state across the wire.

Lease tree

Tokens form a tree (parent → child). Persisted edges:

  • sys/parent/<parent_token_id>/<child_token_id> — empty value.
  • sys/expire/leases/<lease_id> — registered leases.

When revoking a parent, revokeTreeInternal walks the tree iteratively to avoid deep recursion.

Audit table

vault/audit.go::AuditTable is structurally identical to a mount table but stored separately under core/audit. Each entry knows the device type, options, salt key, and HMAC pepper for that device.

Seal config

Persisted under core/seal-config:

type SealConfig struct {
    Type            string
    SecretShares    int
    SecretThreshold int
    Nonce           string
    PGPKeys         []string
    Backup          bool
    StoredShares    int            // how many shares to keep encrypted in storage (auto-unseal)
    Name            string
    RekeyProgress   [][]byte       // transient
    VerificationRequired bool
    VerificationKey      []byte
    VerificationNonce    string
    RewrapStaticConfig   *AutoSealRewrapConfig
}

Keyring

The barrier's keyring (vault/keyring.go) holds the active and historical AES-GCM keys. Encrypted with the master key and stored at core/keyring. New versions are added on rekey; old versions are kept so historic ciphertext can still decrypt.

OIDC objects

Hosted by the identity store:

  • identity/oidc/key/<name> — signing key with rotation schedule.
  • identity/oidc/scope/<name> — claim template.
  • identity/oidc/role/<name> — older single-tenant ID-token issuance flow.
  • identity/oidc/provider/<name> — multi-client issuer.
  • identity/oidc/client/<name> — per-client config.
  • identity/oidc/assignment/<name> — entity/group → client allowlist.

How they all fit

graph LR
    Tok[TokenEntry] -- entity_id --> Ent[Entity]
    Tok -- parent --> ParentTok[Parent token]
    Tok -- accessor --> Audit[AuditTable]
    Lease[leaseEntry] -- ClientToken --> Tok
    Lease -- Path --> Mount[MountEntry]
    Pol[Policy] -- attached to --> Tok
    Pol -- attached to --> Ent
    Ent -- alias --> Mount
    Mount -- UUID --> StorageView[(barrier-prefixed view)]

This graph is what Core.HandleRequest traverses on every request: token → entity → policies → ACL → mount → backend → storage.

Built by Factory AutoWiki from public repository content. It is a generated preview for codebase exploration, not source-maintained documentation.

Data models – Vault wiki | Factory