Add custom key metadata #48
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
vishalnayak
reviewed
Aug 9, 2021
vishalnayak
reviewed
Aug 9, 2021
vishalnayak
reviewed
Aug 9, 2021
vishalnayak
reviewed
Aug 9, 2021
swayne275
reviewed
Aug 9, 2021
swayne275
approved these changes
Aug 10, 2021
|
Thanks for the awesome work, this is exactly what I was looking for! I thought it would work out the box included in the main vault binary, but seems not. EDIT: Just found that its looking to be included in the Vault 1.9 release -> https://github.com/hashicorp/vault/milestone/100 |
|
Thanks for the comment, @bradly-swart! I wanted to confirm the statement that you provided in your EDIT. This feature will be part of the Vault 1.9 release. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Overview
kv-v2 does not provide the ability to specify custom key metadata to describe a secret. A possible workaround is to store this metadata as part of the secret data itself. Doing so results in the metadata having the same ACL access as the data. This change includes a new
custom_metadatafield to the key metadata that will allow users to specify arbitrary version-agnostic metadata.Design of Change
How was this change implemented?
A new
custom_metadatafield has been added to the key metadata as a map of string-to-string key-value pairs (i.e.map<string, string>). Thewrite(POST and PUT) andreadoperations for the/<mount>/metadata/:pathendpoint have been modified to handle this new field. In the case of a POST or PUT, validation will be run against the input. The provided map cannot have more than 64 keys. If the key count is less than 64, the following checks are performed for each key-value pair:All errors will be rolled up and returned as a
multierror. If no errors are found, thecustom_metadatafield will be stored alongside the other key metadata. There is no patching support for this field at this time. With that said, the value in storage will be completely overwritten by the provided value in the request. If thecustom_metadatafield is not provided in a request, the stored value should persist as is.Related Issues/Pull Requests
Resolves Vault Issue #7905
Associated with Vault PR #12218
Contributor Checklist