Currently, if anyone wants to be able to retrieve secrets from vault, they need to configure a CI 'secrets.hashicorp.vault.Server' in the configuration section.
However, if we give anyone access to that section, they could:
schedule control tasks
schedule retention policy
etc..
many things we dont want them to have access to.
And they need access to it to renew the secret on their own. (each team / project has its own vault namespace, with their own approle, secret with a defined ttl..)
It would be more convenient if the configuration was available somewhere else OR if we could define what exactly roles have access to in the configuration section to avoid users creating policies or anything else than a CI 'secrets.hashicorp.vault.Server'
by: Integration c. | about a year ago | Deployments
Comments
Currently, in the Deploy tool, there is no capability to specify detailed permissions for each Integration configuration. It's important to be aware that users with the ability to edit Policy configurations cannot save them unless they also have the additional Deploy Administrator permission. However, they can still access other items.
We haven't received a similar request previously, and it would be valuable to understand if there is a broader demand for this feature among other customers.
They either have access to modify all items or nothing.
And in the case of nothing, that means they cannot update a token for a vault CI, nor create a new one.