Thanks @mgritter, I’ve moved the other issue to a separate issue.
As it stands there is a considerable auditability opportunity in Vault. A git, gh etc log can tell us what policies should have been in place - by way of the hcl file.
What were the actual policies, and what are the actual policies in place only Vault can report that.
From my PoV something like, here I show the report, but it would be base64 encoded string that the signature relates to, when a user decodes the string they see the report…:
$ vault token report s.nvhgytirp85854784j
{
"signature: "<report-minisign-signature>",
"base64": ""report": {
"datetime": "<iso8601>",
"next-key": "<public-minisign-key-for next-report-signature-check>",
"path": {
"sys/health": {
"capabilities": "read"
}
}
....
}"
}
would be sufficient. This result could be stored in a version system or data base.
Is there an issue tracking this type of feature?