Approval process for manually managed secrets

For critical changes, such as updating a manually provided secret, we require peer approval. Think of it like a “pull request”, but the reviewer is not viewing the secret. They are reviewing the reason for the change and the potential impact of the change.

What are your thoughts on accomplishing this with Vault?

Not sure how wrapping the secret would help here, unless you only have 1 KV pair in each secret wrapping the secret is going to hide too much and not really provide any clarity.

I can’t think of a good pre-change “approval”, but a post change could look something like this: Trigger a post-update catch (via audit log) that triggers a notification that a secret in “path” was updated by whomever (addr, display name, auth, etc). That would then have an associated ticket that needs to be explained.

Vault Enterprise has its Control Group feature, which could be used for this.

However, it’s not very flexible, and it won’t let you confirm, for example, the difference between a read, write or delete - it only lets you see the path involved.

Also, if you’re not already paying for Enterprise, it would likely be very uneconomical to buy it just for this.

At which point, you basically need to implement your approval workflow in your own custom service, which uses privileged credentials that no human is able to access, to write to Vault.