Open FeKoerner opened 3 years ago
sgmiller
commented
3 years ago Have you considered structuring your secrets path by consumer (eg operations) rather than producer? Giving the development team write but not read to a path that operations has read but not write is a common pattern.
yahesh
commented
3 years ago This would be an awesome feature. Structuring secrets paths by consumer leads to either duplicate data (if each consumer group gets their own path) or to a cluttering of secrets paths (if each combination of consumers get their own path). There currently does not seem to be a simple yet efficient way to do this.
Is your feature request related to a problem? Please describe. In the current state every access change has to be made from an administrator by changing the matching policy.
Describe the solution you'd like The goal is to make this more flexible and to empower the creator of a secret to share it on their own. This would solve the bottleneck of the administration.
I would like to introduce taging at secrets. Here is an example:
CorpFoo concist out of the following teams:
CorpFoo uses a simple vault setup with only one key value store under the path
secret. Every team has a folder under this path with secrets.secret/development/operations/security/Development creates a secret with the name
newyork. Development knows, that Operations need read access to the secretnewyork.newyork. Development has to wait for fulfillment throw administration.operationsto the secretnewyork. tags can contain a set of items, which can be groups or entitiesPossible realization:
tagsto the metadata of a secrettagscan only be changed by entities, which have the capability create or update at the path of the secretDescribe alternatives you've considered Extending regular expressions of policies