hashicorp
Add policy option to only read keys / parameters of secrets
Is your feature request related to a problem? Please describe.
Yes.
I have a kv2 secret engine for our Jenkins, which only the technical Jenkins user has read access to it:
path "jenkins/metadata/*" {
capabilities = ["list"]
}
path "jenkins/data/*" {
capabilities = ["read"]
}
Now, I would like to write a policy for developers, that allows the developers to update the secrets:
path "jenkins/metadata/*" {
capabilities = ["read", "list", "update"]
}
path "jenkins/data/*" {
capabilities = ["create", "update"]
}
Describe the solution you'd like By updating the secrets, it would be really useful to have access to keys/parameters of the secrets.
Example: There is a secret named xyz in the jenkins/technical/ folder with the keys/parameters "password" and "username" in the last version.
I would like wirte a policy that can:
- See the keys of each version e.g.:
{
"password": "*******",
"username": "*******"
}
- If I update the secret Vault should take the keys/parameters from the last version e.g.:
{
"password": "",
"username": ""
}
- The access to the values of the secrets should not be possible
Additional context
I know that there is an option to set required_parameters, but I think this is not a good solution for my problem, as parameters can also change over time. Also is not possible to mark parameters as required by creating a new secret.
Hi @sgutwein , thanks for filing this issue! This is definitely a great feature to have, and we are planning to incorporate this functionality into a future release.
The function would be very useful, are there any updates on this matter?
Just wanted to check in—this feature would be super helpful for our use case too. Is it currently planned, or is there any roadmap update you could share?
I love it when they say, "We are planning this for a future release," and after four years, the issue is still there.
