allow environment to be at beginning of secrets_full_storage_key #17
Labels
Comments
|
you are very welcome to do a PR to support this :) |
d4be4st
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
It is a lot easier to silo off environments from each other when the environment is at the beginning of the secret path. This is due to the fact that policies allow splats '*', but only at the end of the path (see https://www.vaultproject.io/docs/concepts/policies.html). We want to give some developers access to update the dev environment as they need. It is a lot easier to write a policy like this
read/write etc... '/secret/dev/*'
as opposed to multiple definitions for each application
read/write etc... '/secret/(app1)/dev/*'
read/write etc... '/secret/(app2)/dev/*'
read/write etc... '/secret/(app3)/dev/*'
read/write etc... '/secret/(app4)/dev/*'
This could get messy real quick.
This should be fairly easy to support. In the file 'lib/secrets_cli/vault/base.rb', instead of hard coding
def secrets_full_storage_key
File.join(secrets_storage_key, config.environment)
end
there could be a Proc (https://ruby-doc.org/core-2.2.0/Proc.html) that defaults to the current File.join command. Maybe I can do a PR for it.
The text was updated successfully, but these errors were encountered: