Closed JensRantil closed 8 years ago
Configure Vault ACL to allow secrets to a certain instance as long as user X, Y, Z has approved.
Should probably also support at least n
approvals. Quorum of users could also be an idea.
Hi @JensRantil
I think you have a few options here.
transit
backend and have the operator write to a know path and have the user read from the known path.I think having Vault "block" until approval is a bit outside of the scope of Vault and not one of the primary use cases. Instead, I think it would trivial to build a tiny application around Vault that acted as this gatekeeper.
What do yout hink?
Late answer here; Sounds like my use case can be solved some other way. Great! Closing this...
This is a feature request. I skimmed the issues but couldn't find if this has been discussed:
Use case 1: A company has some passwords that need to be accessible in plain text. They can be root passwords or other sensitive material that needs to be stored somewhere. Generally secrets like this are stored in a safe, in something like 1Password in multiple developer/ops machines, or even worse in text files somewhere.
Problem: The above solutions all have their issues, mostly related to access control, synchronization, auditability.
Use case 2: An application/user that that occasionally needs one-off access to a secret manually triggered by an ops person. This can for example be the backup restore script that needs decrypt key or an appplication being deployed that needs to be given access to an in-memory injection key at startup.
Proposal: That vault supports delegation of access to secrets something like this:
Considerations:
Remarks:
Is this a feature that would be within the scopes of Vault? I have searched for a solution that basically would allow interactive Shamir's Secret Sharing Scheme interactivelly in a web interface. So far I haven't found anything like that. If Vault implements delegation, adding a web interface for general secrets to root passwords etc. would be a relative easy thing to do. Let me know what you think!