Add policy option to only read keys / parameters of secrets

[sgutwein]

Is your feature request related to a problem? Please describe.

Yes.

I have a kv2 secret engine for our Jenkins, which only the technical Jenkins user has read access to it:

path "jenkins/metadata/*" {
  capabilities =  ["list"]
}

path "jenkins/data/*" {
  capabilities =  ["read"]
}

Now, I would like to write a policy for developers, that allows the developers to update the secrets:

path "jenkins/metadata/*" {
    capabilities =  ["read", "list", "update"]
}

path "jenkins/data/*" {
    capabilities =  ["create", "update"]
}

Describe the solution you'd like By updating the secrets, it would be really useful to have access to keys/parameters of the secrets.

Example: There is a secret named xyz in the jenkins/technical/ folder with the keys/parameters "password" and "username" in the last version.

I would like wirte a policy that can:

1. See the keys of each version e.g.:

   {
   "password": "*******",
   "username": "*******"
   }

2. If I update the secret Vault should take the keys/parameters from the last version e.g.:

{
  "password": "",
  "username": ""
}

3. The access to the values of the secrets should not be possible

Additional context I know that there is an option to set required_parameters, but I think this is not a good solution for my problem, as parameters can also change over time. Also is not possible to mark parameters as required by creating a new secret.

[HridoyRoy]

Hi @sgutwein , thanks for filing this issue! This is definitely a great feature to have, and we are planning to incorporate this functionality into a future release.

[baturay-tryroll]

Has this feature been added?

[CypressMan]

The function would be very useful, are there any updates on this matter?