Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Store user specified values in kv v2 secrets metadata #7905

Closed
trodemaster opened this issue Nov 19, 2019 · 3 comments · Fixed by hashicorp/vault-plugin-secrets-kv#48 or #12218
Closed

Comments

@trodemaster
Copy link

trodemaster commented Nov 19, 2019

Is your feature request related to a problem? Please describe.
We want to add custom metadata to kv v2 secrets for auditing and reporting purposes. Storing these values with the metadata allows us to grant access to them separately from the secret data itself.

Describe the solution you'd like
Create a new metadata attribute that accepts a map. The first example shows the data we would like to store and report on. We are unable to control access to some of the keys and values currently.

{
  "request_id": "c81b340c-aed0-fd40-5467-777224bdee86",
  "lease_id": "",
  "lease_duration": 0,
  "renewable": false,
  "data": {
    "data": {
      "token_adobe_service_id": "1253467",
      "token_description": "Dogfood 2 your door service api",
      "token_expiration": "2019-08-28T00:00:00+00:00",
      "token_id": "Mutt button #2",
      "token_mission_critical": true,
      "token_owner": "[email protected]",
      "token_secret": "a340b6a946bbdw4515r884dy12b8a484b518",
      "token_secret_base64": false,
      "token_technical_contact": "[email protected]"
    },
    "metadata": {
      "created_time": "2019-11-08T18:45:01.892139679Z",
      "deletion_time": "",
      "destroyed": false,
      "version": 1
    }
  },
  "warnings": null
}

If the metadata allowed us to write a map of our values to it then existing access controls would work as desired. A reporting tool can be granted access to the metadata only. The example here shows one possible way to do this.

{
    "request_id": "c81b340c-aed0-fd40-5467-777224bdee86",
    "lease_id": "",
    "lease_duration": 0,
    "renewable": false,
    "data": {
        "data": {
            "token_id": "Mutt button #2",
            "token_secret_base64": false,
            "token_secret": "a340b6a946bbdw4515r884dy12b8a484b518"
        },
        "metadata": {
            "created_time": "2019-11-08T18:45:01.892139679Z",
            "deletion_time": "",
            "destroyed": false,
            "version": 1,
            "user_metadata": {
                "token_adobe_service_id": "1253467",
                "token_description": "Dogfood 2 your door service api",
                "token_expiration": "2019-08-28T00:00:00+00:00",
                "token_mission_critical": true,
                "token_owner": "[email protected]",
                "token_technical_contact": "[email protected]"
            }
        }
    },
    "warnings": null
}

Describe alternatives you've considered
Writing pairs of secrets at different paths would give us the ability to control access. This creates complexity for matching them up in users automation. Writing sentinel policies is also complicated as your not able to read data from both sets of keys at the same time.

@catsby
Copy link
Contributor

catsby commented Nov 19, 2019

Similar feature request to #1893

@monokal
Copy link

monokal commented Jan 9, 2020

I'd also be interested in the ability to store custom metadata attached to a specific secret.

@Zenithar
Copy link

Zenithar commented May 7, 2020

Me too

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
5 participants