The vault-try operator attempts to retrieve secrets from multiple Vault paths in order, returning the first successful result. This is particularly useful for migration scenarios, multi-tenant configurations, and fallback strategies.
- basic.yml - Basic vault-try usage with fallbacks
- migration.yml - Path migration scenarios
- multi-tenant.yml - Tenant-specific secret retrieval
- regional.yml - Region-based secret paths
- versioning.yml - Version-specific secret management
vault-tryrequires at least 2 arguments (paths + default)- Tries each path in order until one succeeds
- Last argument is always the default value
- More forgiving with malformed paths
- Useful for graceful transitions
# Basic usage
password: (( vault-try "path1" "path2" "default-value" ))
# With more paths
config: (( vault-try "new/path" "old/path" "legacy/path" "fallback" ))
# Dynamic paths
secret: (( vault-try
(concat "v2/" env "/secret")
(concat "v1/" env "/secret")
"default-secret"
))# Create secrets in different paths for testing
vault kv put secret/v1/myapp/db password=oldpass
vault kv put secret/v2/myapp/db password=newpass
vault kv put secret/prod/myapp key=prodkey
vault kv put secret/dev/myapp key=devkey# Test basic fallbacks
export VAULT_ADDR=http://localhost:8200
export VAULT_TOKEN=your-token
graft merge basic.yml
# Test migration scenarios
graft merge migration.yml
# Test with environment variables
ENV=prod graft merge regional.yml