Emits metadata for a single vault entry. Secret material is never included in the output.
DESCRIBE { VAULT | CREDENTIAL } [IF EXISTS] <name>## Overview DESCRIBE VAULT emits the full non-secret metadata for a single vault entry: id, display_name, entry_type, algorithm, current_version, storage_backend_name, external_secret_name (for linked entries), created_at, updated_at, rotated_at. Secret material is never included and there is no SQL path to retrieve it. ## Behavior - VAULT and CREDENTIAL are interchangeable keywords. The command resolves by display_name regardless of which keyword was used at CREATE time. - The HTTP adapter fetches the full list of entries via GET /vault/entries and filters by display_name. With IF EXISTS, a missing name returns a clean 'does not exist' message; without it, a missing name raises an error. - Linked-external entries show their external_secret_name so operators can trace back to the target secret in the cloud backend. - The v1 output is a plain multi-line text message. Upgrading to Arrow is tracked separately. ## Access Control Requires the admin role. The Control Plane enforces vault:read on GET /vault/entries. ## Compatibility DeltaForge extension. No standard SQL equivalent.
| Name | Type | Description |
|---|---|---|
name | Specifies the display_name of the vault entry. | |
if_exists | When true, returns a 'does not exist' message instead of an error when the entry is missing. |
-- Describe an encryption key
DESCRIBE VAULT pii_key;-- Describe a credential (alias spelling)
DESCRIBE CREDENTIAL stripe_api_token;-- Either keyword describes an entry regardless of which was used at CREATE
DESCRIBE CREDENTIAL entry_created_as_vault;-- Safe invocation
DESCRIBE VAULT IF EXISTS maybe_there;