search

bank-vaults / secret-sync

Synchronise secrets between secret stores in a configurable manner
Apache License 2.0
19 stars 1 forks source link

Add new secret store providers #10

Open ramizpolic opened 1 year ago

ramizpolic commented 1 year ago

Goal

Currently we only support Vault by HashiCorp as a secret store provider. It would be beneficial to add additional providers, namely:

sagikazarmark commented 1 year ago

Would it make sense to create a batch provider that fans secrets out to multiple providers?

Similarly, would it make sense to try to read from multiple sources (ie. if not found in store A, try store B).

Not sure these make sense or should be a priority, but it's something to consider.

We can wait for feedback from the community to see if someone needs this behavior.

ramizpolic commented 1 year ago

We can certainly add support for that, but I think it will bring more complications than benefits (validation, handling collisions, tracking changes,...). I think it makes more sense to add support for N-to-1 syncs (N sources, 1 dest) to keep things simpler and cleaner. This way, each sync job would uniquely identify a destination store.

Rather than creating a provider that does this, this could be enabled on the API level itself. Consider this sync plan:

source: main-source
dest: main-dest
plan: 
  - secret:
      key: "from-main"
  - secret:
      key: "from-override"
      source: override-source

This is definitely something we want to have at some point, but for now, it is not a priority.