Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: explicit max ttl for secrets #199

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

feat: explicit max ttl for secrets #199

wants to merge 1 commit into from

Conversation

gsantos-hc
Copy link

@gsantos-hc gsantos-hc commented May 1, 2024
edited

Overview

Add explicit_max_ttl to Azure role attributes. When set, Application Secrets in Azure AD will be created with a maximum lifetime equal to explicit_max_ttl, instead of the hard-coded 10-year default in effect until now.

This enables organizations with compliance requirements to limit secret lifetimes to implement a hard ceiling on the secret's lifetime. This also serves as a backstop against the possibility of Vault failing to revoke the secret when the lease expires.

Design of Change

How was this change implemented?

Related Issues/Pull Requests

Contributor Checklist

  • Add relevant docs to upstream Vault repository, or sufficient reasoning why docs won’t be added yet: Example
  • Add output for any tests not ran in CI to the PR description (eg, acceptance tests)
  • Backwards compatible

@gsantos-hc
feat: add explicit_max_ttl to azure secrets
0fb38e1 
Add `explicit_max_ttl` to Azure role attributes. If set, Application
Secrets in Azure AD will be created with a maximum lifetime equal to
`explicit_max_ttl` instead of the hard-coded 10-year default in effect
until now.

Fixes hashicorp#178
Fixes VAULT-12316
@gsantos-hc
Copy link
Author

gsantos-hc commented May 3, 2024
edited

One thing missing from this is communicating to the client that the secret won't be renewed beyond its initial explicit_max_ttl. Any ideas for that? Maybe the lease could be marked non-renewable when the remaining lifetime under explicit_max_ttl is less than the role's TTL?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Zlaticanin Zlaticanin Awaiting requested review from Zlaticanin

@vinay-gopalan vinay-gopalan Awaiting requested review from vinay-gopalan

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Azure secrets engine, ability to specify static SPN secret expiry
1 participant
@gsantos-hc