Feature request - follow path
SwannCroiset opened this issue · 4 comments
The vault-cli handles "special" secrets as a "path" to read.
For example, the vault-cli behavior expected would be:
- get the secret value
rabbitmq-front/creds/shared
from the pathapp/infra/rabbit/front-shared/engine_path
- read and return the secret value from this path
rabbitmq-front/creds/shared
(in this example the secret value is a json dict{"username": "xx", "password": "xx"}
ie. naive implementation: this behavior occurs when a path matches /engine_path$
This is needed to integrate RabbitMQ secret Engine 'seamlessly' for apps (https://www.vaultproject.io/docs/secrets/rabbitmq/index.html)
cc @mgu @yannlachiver @pilou- @marieluce-allee @ccouturi @damienbertau
It's interesting, but we need a good way to ensure a path is not followed involuntarily.
E.g.
sentry: <sentry-dsn>
(...)
monitoring:
exceptions-monitoring-provider: sentry
and before you know it, you have an error like " is not a valid choice for exceptions-monitoring-provider"
Would something like:
app/infra/rabbit/front-shared/engine_path: $secret-path$rabbitmq-front/creds/shared
be ok ? I think it's sufficiently sure that noone will previx their secret with $secret-path$
whithout this in mind.
not sure to understand your example with sentry but your proposition looks fine to me (a magic prefix in secret value)