Skip to content

feat: dynamic secrets #638

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 119 commits into from
Sep 30, 2025
Merged

feat: dynamic secrets #638

merged 119 commits into from
Sep 30, 2025

Conversation

@rohan-chaturvedi
Copy link
Member

@rohan-chaturvedi rohan-chaturvedi commented Aug 30, 2025
edited by cursor bot
Loading

🔍 Overview

Adds Dynamic Secrets support, with AWS IAM as the first provider and architecture for additional providers in the future.

  • Create, update and delete Dynamic Secrets at any path from the Console
  • Create dynamic credentials for AWS IAM
  • Manually revoke leases or let scheduled expiry revoke them on AWS
  • Renew leases with custom TTLs
  • View and manage leases with detailed logging
  • RBAC for Lease management
  • REST API to fetch, renew and revoke dynamic secrets and leases

🖼️ Screenshots or Demo

Configure a Dynamic Secret

common-config

Generate a lease

generate-lease-1 generate-lease-2

View and manage Leases

leases-list lease-history renew-lease revoke-lease

💚 Did You...

  • Ensure linting passes (code style checks)?
    - [ ] Update dependencies and lockfiles (if required)
  • Update migrations (if required)
  • Regenerate graphql schema and types (if required)
  • Verify the app builds locally?
  • Manually test the changes on different browsers/devices?

Note

Introduce Dynamic Secrets with AWS IAM provider, leasing (create/renew/revoke), GraphQL/REST APIs, RBAC, and full Console UI; bump version to v2.52.0.

  • Backend:
    • Models/Migrations: Add DynamicSecret, DynamicSecretLease, DynamicSecretLeaseEvent (+ fields for TTLs, status, credentials, key_map) with related migrations.
    • Auth/Access: Resolve environment via secret_id; extend RBAC with DynamicSecretLeases permissions.
    • APIs:
      • REST: New endpoints to list dynamic secrets and create/renew/revoke leases (ee.integrations.secrets.dynamic.rest).
      • GraphQL: Types/queries/mutations for providers, secrets, and leases (create/update/delete/lease/renew/revoke); environment resolvers include dynamic_secrets and counts include dynamic.
    • AWS Provider: Implement IAM user/key creation, tagging, policy/group attach, cleanup, scheduled revocation, and lease scheduling via RQ; utility/exception suite.
    • Utils/Serializers: Duplicate-check considers dynamic key_map; serializers for org member/service account and dynamic secrets/leases.
    • Views: Secrets endpoints optionally include dynamic secrets and can auto-create leases; logging/audit events added.
    • Routing/Settings: Wire GraphQL resolvers/mutations and REST URLs; version -> v2.52.0.
  • Frontend:
    • Schema/Client: Regenerate GraphQL schema/types; add queries/mutations for dynamic secrets/leasing; cache policy for KeyMap.
    • UI: New Console flows to create/update/delete dynamic secrets, generate/renew/revoke leases, and view lease history (incl. environment and app listings); integrate dynamic secrets into env/app secrets views.
    • UX Tweaks: Minor component improvements (buttons, dialogs, inputs, progress bar, toggles, labels).

Written by Cursor Bugbot for commit a89ef7e. This will update automatically on new commits. Configure here.

@rohan-chaturvedi
feat: add DynamicSecret and DynamicSecretLease models with related fi…
02dd4be 
…elds and events

Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
@rohan-chaturvedi
feat: backend utils, resolvers and types
7dbe60d 
Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
@rohan-chaturvedi
feat: generate schema and types
fbb40b3 
Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
@rohan-chaturvedi
feat: add misc frontend utils
c9cc5dd 
Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
@rohan-chaturvedi
feat: misc improvements to stepper styling
8daa7e2 
Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
@rohan-chaturvedi
feat: add support for custom classes to input and label
428217c 
Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
@rohan-chaturvedi
fix: textarea label spacing
79bb77f 
Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
@rohan-chaturvedi
fix: ghost button spinner color
c687a86 
Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
@rohan-chaturvedi
feat: add client side queries for providers, secrets and leases
2a2efb8 
Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
@rohan-chaturvedi
feat: add client mutations to crud secrets and leases
62ff986 
Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
@rohan-chaturvedi
fix: alert spacing
986d2c8 
Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
@rohan-chaturvedi
fix: aws region picker label
b467f8a 
Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
@rohan-chaturvedi
feat: dialog to create dynamic secrets
2afb906 
Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
@rohan-chaturvedi
feat: frontend to view and manage dynamic secrets and leases
0da7f7c 
Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
@rohan-chaturvedi
feat: add dynamic secrets to integrations page
9df7915 
Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
@rohan-chaturvedi
feat: schedule all active leases for revoation when deleting a secret
133f236 
Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
@rohan-chaturvedi
feat: refactor dynamic secret creation, validation, revocation logic
6ea430c 
Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
@rohan-chaturvedi
feat: enhance duplicate check to include dynamic secrets key_map
16cc210 
Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
@rohan-chaturvedi
feat: simplify secret deletion by directly calling delete method
2542040 
Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
@rohan-chaturvedi
feat: encrypt key names in dynamic secret creation process
c65b5d1 
Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
@rohan-chaturvedi
feat: encrypt key names in dynamic secret update process
4a14428 
Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
@rohan-chaturvedi
feat: improve layout of TTL input and buttons in CreateLeaseDialog
3538c41 
Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
@rohan-chaturvedi
feat: add environment prop to DynamicSecretRow
1f83fcc 
Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
@rohan-chaturvedi
feat: enhance DynamicSecret component layout and add link to view secret
7f19844 
Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
@rohan-chaturvedi
feat: add dynamic secrets handling and decryption in EnvironmentPath …
455a691 
…component

Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
@rohan-chaturvedi
feat: add and enforce permissions for DynamicSecretLeases
e8ba641 
Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
@rohan-chaturvedi
fix: duplicate check logic for dynamic secret key map
6934885 
Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
@rohan-chaturvedi
fix: cleanup create dialog props and rest form state on create
ff72d49 
Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
@rohan-chaturvedi
feat: misc updates and improvements to TTL inputs
8e1e076 
Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
@rohan-chaturvedi
fix: duplicate key checking for existing dynamic secrets
1f08f56 
Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
@rohan-chaturvedi
feat: implement custom exceptions for dynamic secret operations and l…
b9f2e37 
…ease handling

Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
@rohan-chaturvedi
chore: clean up types
6ea662e 
Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
github-advanced-security[bot]
github-advanced-security bot found potential problems Sep 27, 2025
View reviewed changes
@rohan-chaturvedi
fix: ensure current TTL is safely accessed in RenewLeaseDialog
a4067ec 
Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
@rohan-chaturvedi
fix: add dynamic secrets to secret count for folder type
825a50e 
Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
@rohan-chaturvedi
feat: add copy buttons for secret and lease id
0857852 
Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
@nimish-ks
Copy link
Member

nimish-ks commented Sep 28, 2025

@cursor review

cursor[bot]

This comment was marked as outdated.

Sign in to view

@rohan-chaturvedi
fix: add loading state to leases list
25d615c 
Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
@rohan-chaturvedi
feat: improve configure secret dialog header
a1954c4 
Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
@rohan-chaturvedi
fix: return 404 if no dynamic secrets match filter
2e6f786 
Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
@rohan-chaturvedi
fix: clean up duplicate code
b7fc04a 
Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
@rohan-chaturvedi
fix: correctly apply lease filter, misc cleanup
0dd6e53 
Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
@rohan-chaturvedi
feat: add ttl param, granular exception handling to dynamic secrets view
f49512a 
Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
@rohan-chaturvedi
chore: cleanup
76e44e2 
Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
github-advanced-security[bot]
github-advanced-security bot found potential problems Sep 28, 2025
View reviewed changes
@rohan-chaturvedi
fix: change exception type from AuthenticationFailed to NotFound for …
10328dd 
…missing secret

Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
@rohan-chaturvedi
feat: add optional lease_ttl param to control ttl for leased credentials
e187822 
Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
@rohan-chaturvedi
feat: return an error response for combined secrets api if leases can…
bcda6d1 
…not be generated

Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
github-advanced-security[bot]
github-advanced-security bot found potential problems Sep 29, 2025
View reviewed changes
@rohan-chaturvedi
feat: enhance lease status display by indicating leases that due to e…
13a3a62 
…xpire

Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
@rohan-chaturvedi
feat: improve spacing and layout in create and update dialogs
1f9e6be 
Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
@rohan-chaturvedi
chore: bump version
a89ef7e 
Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
@nimish-ks
Copy link
Member

nimish-ks commented Sep 30, 2025

@cursor review

cursor[bot]
cursor bot reviewed Sep 30, 2025
View reviewed changes
@rohan-chaturvedi
fix: prevent bad ttl values being passed to mutation vars in case for…
d484443 
…m validation fails

Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
@rohan-chaturvedi
fix: clean up borders
5178a0f 
Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
@nimish-ks nimish-ks merged commit d167e30 into main Sep 30, 2025
7 checks passed
@nimish-ks nimish-ks deleted the feat--dynamic-secrets branch September 30, 2025 11:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cursor cursor[bot] cursor[bot] left review comments

@nimish-ks nimish-ks nimish-ks approved these changes

Assignees

No one assigned

Labels

backend enhancement New feature or request frontend Change in frontend code updates migrations This PR adds new migrations that update the database schema

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@rohan-chaturvedi @nimish-ks