Vault: Store user specified values in kv v2 secrets metadata
Is your feature request related to a problem? Please describe.
We want to add custom metadata to kv v2 secrets for auditing and reporting purposes. Storing these values with the metadata allows us to grant access to them separately from the secret data itself.
Describe the solution you'd like
Create a new metadata attribute that accepts a map. The first example shows the data we would like to store and report on. We are unable to control access to some of the keys and values currently.
{
"request_id": "c81b340c-aed0-fd40-5467-777224bdee86",
"lease_id": "",
"lease_duration": 0,
"renewable": false,
"data": {
"data": {
"token_adobe_service_id": "1253467",
"token_description": "Dogfood 2 your door service api",
"token_expiration": "2019-08-28T00:00:00+00:00",
"token_id": "Mutt button #2",
"token_mission_critical": true,
"token_owner": "[email protected]",
"token_secret": "a340b6a946bbdw4515r884dy12b8a484b518",
"token_secret_base64": false,
"token_technical_contact": "[email protected]"
},
"metadata": {
"created_time": "2019-11-08T18:45:01.892139679Z",
"deletion_time": "",
"destroyed": false,
"version": 1
}
},
"warnings": null
}
If the metadata allowed us to write a map of our values to it then existing access controls would work as desired. A reporting tool can be granted access to the metadata only. The example here shows one possible way to do this.
{
"request_id": "c81b340c-aed0-fd40-5467-777224bdee86",
"lease_id": "",
"lease_duration": 0,
"renewable": false,
"data": {
"data": {
"token_id": "Mutt button #2",
"token_secret_base64": false,
"token_secret": "a340b6a946bbdw4515r884dy12b8a484b518"
},
"metadata": {
"created_time": "2019-11-08T18:45:01.892139679Z",
"deletion_time": "",
"destroyed": false,
"version": 1,
"user_metadata": {
"token_adobe_service_id": "1253467",
"token_description": "Dogfood 2 your door service api",
"token_expiration": "2019-08-28T00:00:00+00:00",
"token_mission_critical": true,
"token_owner": "[email protected]",
"token_technical_contact": "[email protected]"
}
}
},
"warnings": null
}
Describe alternatives you've considered
Writing pairs of secrets at different paths would give us the ability to control access. This creates complexity for matching them up in users automation. Writing sentinel policies is also complicated as your not able to read data from both sets of keys at the same time.
trodemaster
All 3 comments
Similar feature request to https://github.com/hashicorp/vault/issues/1893
catsby
on 19 Nov 2019
I'd also be interested in the ability to store custom metadata attached to a specific secret.
monokal
on 9 Jan 2020
Me too
Zenithar
on 7 May 2020
Related issues
Wonder007
路
3Comments
lexsys27
路
3Comments
weisinc
路
3Comments
0x9090
路
3Comments
frntn
路
3Comments
Most helpful comment
I'd also be interested in the ability to store custom metadata attached to a specific secret.