secrets_cli
secrets_cli copied to clipboard
infinum
allow environment to be at beginning of secrets_full_storage_key
It is a lot easier to silo off environments from each other when the environment is at the beginning of the secret path. This is due to the fact that policies allow splats '*', but only at the end of the path (see https://www.vaultproject.io/docs/concepts/policies.html). We want to give some developers access to update the dev environment as they need. It is a lot easier to write a policy like this read/write etc... '/secret/dev/*' as opposed to multiple definitions for each application read/write etc... '/secret/(app1)/dev/*' read/write etc... '/secret/(app2)/dev/*' read/write etc... '/secret/(app3)/dev/*' read/write etc... '/secret/(app4)/dev/*'
This could get messy real quick.
This should be fairly easy to support. In the file 'lib/secrets_cli/vault/base.rb', instead of hard coding def secrets_full_storage_key File.join(secrets_storage_key, config.environment) end there could be a Proc (https://ruby-doc.org/core-2.2.0/Proc.html) that defaults to the current File.join command. Maybe I can do a PR for it.
