Filter expressions in Vault
Filter expressions use matching operators and selector values to parse out important or relevant information. In some situations, you can use filter expressions to control how Vault processes results.
Filter expression syntax
Basic filter expressions are always written in plain text with a matching operator, a selector, and a selector value.
- the matching operator tells Vault how to compare the selector and selector value.
- the selector is a JSON pointer that indicates which field or parameter in a JSON object to consider.
- the selector value is a JSON pointer, number, or string that defines a pattern Vault can filter against.
For example, in the filter expression:
- Equality (
==
) is the matching operator. - The JSON pointer
product/name
is the selector. - The string "Vault" is the selector value.
Complex filter expressions also allow Boolean logic and parenthesis. For example:
When parsing filter expressions, Vault ignores whitespace unless the whitespace is part of a literal string.
Filter expression
product/name=="Vault"
and product/name == "Vault"
generate the same results
while product/name == " Vault "
and product/name == "Vault"
generate
different results.
Selectors are not universal
Filtering-enabled endpoints can support different selectors. Make sure to consult the API documentation for a given endpoint when constructing your filter expressions.
Complex expressions
Complex expressions combine basic expressions with logical operators, grouping, and matching expressions.
Vault uses standard operator precedence when resolving complex
expressions. For example, the expression
<Expression 1> and not <Expression 2> or <Expression 3>
resolves
the same as
( <Expression 1> and (not <Expression 2> )) or <Expression 3>
.
Performance
Filters consume a portion of CPU time on the Vault node where they run.
Regular expressions
Using multiple/complex expressions including regular expressions (regex) will have a larger impact on performance than fewer/simpler filters.Always test your filters in pre-production environments to ensure correctness.
Ideally you should codify your management of Vault using tools such as Terraform, to prevent accidentally enabling an audit device in a production environment with untested/incorrect settings.
Finally, always ensure you profile production-like workloads within your pre-production environments in order to accurately assess the performance of Vault.