Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Multiple Configurations Possible? #47

Open
natescherer opened this issue Jan 25, 2021 · 6 comments
Open

Multiple Configurations Possible? #47

natescherer opened this issue Jan 25, 2021 · 6 comments
Labels
enhancement New feature or request

Comments

@natescherer
Copy link

Hello,
I think this would probably require significant work, but are their any plans to add support multiple different configurations? I'm looking to have a non-default Vault using SecretStore that doesn't have a password to be used as part of a module I'm writing to store API keys.

As far as I can tell, if I were to do this now, my module creating a passwordless configuration would prevent the user from being able to have their own, password-locked separate Vault.

Assuming my understanding of the current configuration is accurate, is support for something like this on the roadmap?

Thanks!
@PaulHigin
Copy link
Contributor

Currently, the configuration is per user account, and there is no way to have multiple configured stores per user. I doubt we would change this since part of the security is based on user account isolation. One workaround is to create a separate account for a password-less configuration, for example a test account. But a password-less configuration is susceptible to malicious admin/root accounts.

We have thought about a machine scope based configuration, useable by all accounts. But a password-less machine scope store would not be very secure and I don't know if we would want to support it (unless there was some sort of RBAC).

@SydneyhSmith SydneyhSmith added the enhancement New feature or request label Mar 8, 2021
@SydneyhSmith
Copy link
Collaborator

Thanks @natescherer this is an interesting scenario, that we may want to support in a future release (after GA) but we will have to think more deeply about security implications...cc: @TravisEz13

@zrbrc
Copy link

zrbrc commented Mar 11, 2021

A global scope is definitely needed in my opinion. As it is now, this doesnt solve anything for my situation. I have on-request processes that need a stored password, but they are executed by various users.

@PaulHigin
Copy link
Contributor

@zrbrc The -Scope parameter already takes a 'AllUsers' value, but it is not implemented in this first version. But it is something we can look at for the next version release.

@zrbrc
Copy link

zrbrc commented Mar 11, 2021

@PaulHigin Understood, I saw it was there, but unimplemented. I was only commenting bc you weren't sure if that would happen or not. Thanks.

@PaulHigin
Copy link
Contributor

We weren't sure how important this was to the community, so your input is valuable and we can make it a higher priority for the next version.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@natescherer @PaulHigin @SydneyhSmith @zrbrc