Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Feature Request] Ability to specify fields to be masked in database/config output. #8131

Open
sebinjohn opened this issue Jan 10, 2020 · 2 comments
Open

[Feature Request] Ability to specify fields to be masked in database/config output. #8131

sebinjohn opened this issue Jan 10, 2020 · 2 comments
Labels
core/plugin enhancement secret/database

Comments

@sebinjohn
Copy link
Contributor

sebinjohn commented Jan 10, 2020
edited

Is your feature request related to a problem? Please describe.
In a database plugin if root credential can't be specified in password field, it will not be masked in the output of vault read database/config/:name
More context:
My organization has internally developed a database plugin to create Artifactory token as a dynamic secret in Vault. Due to organizational constraints an API Key is used instead of admin username and password to create tokens dynamically.

The plugin is configured as below.

$ vault write database/config/artifactory \
  plugin_name="artifactory-plugin" \
  allowed_roles="test-role" \
  api_key="AKCp5e3p2H33kNaZf6TXBqbKXQsHYM3UCEfWbgVhFticKAa8bYsF2gMMM3gw1a6GmopFDqKta" \
  address="http://localhost:8000/artifactory" \

The config would look like

$ vault read -format=json database/config/artifactory | jq -r .data.connection_details
{
  "address": "http://localhost:8000/artifactory",
  "api_key": "AKCp5e3p2H33kNaZf6TXBqbKXQsHYM3UCEfWbgVhFticKAa8bYsF2gMMM3gw1a6GmopFDqKta"
}

Describe the solution you'd like
have a field in the database/config/:name to specify which field should be masked in the config output.
eg:

$ vault write database/config/artifactory  \
    plugin_name=... \
    allowed_roles=... \
    address=... \
    api_key=... \
    mask=api_key

and database/config/:name output will be

$ vault read -format=json database/config/artifactory | jq -r .data.connection_details
{
  "address": "http://localhost:8000/artifactory"
}
@sebinjohn sebinjohn changed the title Ability to specify fields to be masked in database/config output. [Feature Request] Ability to specify fields to be masked in database/config output. Jan 10, 2020
@catsby
Copy link
Member

catsby commented Jan 15, 2020

Hello - as a workaround, is it possible to rename the api_key to password in the custom plugin? I believe that will get the desired effect, at the cost of a slight misnomer.

Long term, this seems like something that can be accomplished as you describe, though I would probably remove the sensitive keys instead of masking them. Adding a filter_keys type configuration variable that accepts a comma separated string, could then be used to filter out those keys from the ConnectionDetails map where the custom keys and data reside:

@sebinjohn
Copy link
Contributor Author

@catsby Yes. I will be implementing this workaround.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
core/plugin enhancement secret/database
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@catsby @michelvocks @sebinjohn