Vault env: Secret that may or may not be there

Question

Vault env: Secret that may or may not be there

Opened this issue 4 years ago · 1 comments

vault env -p 'secret?' -- env
vault env -p 'secret=BLA?' -- env

will omit the environment variable altogether if an error happens when trying to read the secret.

Answer 1 · 2020-03-15T16:24:07.000Z

Soooo

I think that one of the few things we should do is model the "Secret not found" in a better way. This would change the api, though, but if path1 is ok and path2 not ok:

s = client.get_secrets("")
# I think we should get something like:
{
	"path1": {"key": "value"},
    "path2": InvalidSecret(),
}

Now what I'm not sure is what the expected this is:

In the lib, if I ask for client.get_secret("path1", "path2"), what should I get ?
In the cli, if I ask for vault get-all, what should I get ?
In the cli, if I ask for vault get-all path1 path2, what should I get ?
Depending on the answer above, vault env -p '' -- env, what should I get ?
what about vault env -p path1 -p path2 -- env?