node-vault icon indicating copy to clipboard operation
node-vault copied to clipboard
verified publisher icon nodevault

Add support for custom headers so that we can audit them

Open Constantin07 opened this issue 8 years ago • 1 comments

It makes sense to be able to send custom HTTP headers to Vault so that they can be included in vault audit logs. These headers can include additional metadata to be tracked in audit logs.

Usage scenario: application running in docker container when requesting credentials from vault ca n post, for instance two custom headers like 'X-Application-Name: app-name' and 'X-Application-Version: 1.0.0' which will appear in vault audit logs.

Via API (curl) this can be done as:

curl -sk -H "X-Vault-Token: <token>" -H "X-Application-Name: app-test" -X GET https://***.****.***:8200/v1/secret/custom

Then in audit logs we can capture something like:

    "request": {
      "id": "ef5e02ca-b9ae-8846-6835-1c91168890c3",
      "operation": "read",
      "client_token": "hmac-sha256:911623f1a0e5dfd31368c107b62782dc1375dd28a20f01068df69a1187f4891f",
      "client_token_accessor": "hmac-sha256:c9336f259dc9201577f7fb8efebcdfa74497f4a66afd108df888b293e73f605b",
      "path": "secret/custom",
      "data": null,
      "remote_address": "172.19.0.28",
      "wrap_ttl": 0,
      "headers": {
        "x-application-name": [
          "app-test"
        ]
      }

This will allow to track from which application the request came from. At the moment the audit logs include source IP which doesn't help.

Constantin07 avatar Oct 03 '17 09:10 Constantin07

This is totally possible and probably even easy to implement. I will try to find time to implement this after finishing with my refactor pull request

DaniGuardiola avatar Jan 15 '18 14:01 DaniGuardiola

Since #78 is stale, I'm closing this issue as well. That being said - will keep in mind the requirement of allowing headers access

aviadhahami avatar Nov 10 '22 16:11 aviadhahami