You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
It is a lot easier to silo off environments from each other when the environment is at the beginning of the secret path. This is due to the fact that policies allow splats '*', but only at the end of the path (see https://www.vaultproject.io/docs/concepts/policies.html). We want to give some developers access to update the dev environment as they need. It is a lot easier to write a policy like this
read/write etc... '/secret/dev/*'
as opposed to multiple definitions for each application
read/write etc... '/secret/(app1)/dev/*'
read/write etc... '/secret/(app2)/dev/*'
read/write etc... '/secret/(app3)/dev/*'
read/write etc... '/secret/(app4)/dev/*'
This could get messy real quick.
This should be fairly easy to support. In the file 'lib/secrets_cli/vault/base.rb', instead of hard coding
def secrets_full_storage_key
File.join(secrets_storage_key, config.environment)
end
there could be a Proc (https://ruby-doc.org/core-2.2.0/Proc.html) that defaults to the current File.join command. Maybe I can do a PR for it.
The text was updated successfully, but these errors were encountered:
d4be4st
changed the title
enhancement: allow environment to be at beginning of secrets_full_storage_key
allow environment to be at beginning of secrets_full_storage_key
Oct 30, 2018
It is a lot easier to silo off environments from each other when the environment is at the beginning of the secret path. This is due to the fact that policies allow splats '*', but only at the end of the path (see https://www.vaultproject.io/docs/concepts/policies.html). We want to give some developers access to update the dev environment as they need. It is a lot easier to write a policy like this
read/write etc... '/secret/dev/*'
as opposed to multiple definitions for each application
read/write etc... '/secret/(app1)/dev/*'
read/write etc... '/secret/(app2)/dev/*'
read/write etc... '/secret/(app3)/dev/*'
read/write etc... '/secret/(app4)/dev/*'
This could get messy real quick.
This should be fairly easy to support. In the file 'lib/secrets_cli/vault/base.rb', instead of hard coding
def secrets_full_storage_key
File.join(secrets_storage_key, config.environment)
end
there could be a Proc (https://ruby-doc.org/core-2.2.0/Proc.html) that defaults to the current File.join command. Maybe I can do a PR for it.
The text was updated successfully, but these errors were encountered: