Vault env: Secret that may or may not be there
Opened this issue · 1 comments
ewjoachim commented
vault env -p 'secret?' -- env
vault env -p 'secret=BLA?' -- env
will omit the environment variable altogether if an error happens when trying to read the secret.
ewjoachim commented
Soooo
I think that one of the few things we should do is model the "Secret not found" in a better way. This would change the api, though, but if path1 is ok and path2 not ok:
s = client.get_secrets("")
# I think we should get something like:
{
"path1": {"key": "value"},
"path2": InvalidSecret(),
}
Now what I'm not sure is what the expected this is:
- In the lib, if I ask for
client.get_secret("path1", "path2")
, what should I get ? - In the cli, if I ask for
vault get-all
, what should I get ? - In the cli, if I ask for
vault get-all path1 path2
, what should I get ? - Depending on the answer above,
vault env -p '' -- env
, what should I get ? - what about
vault env -p path1 -p path2 -- env
?