Does Integrated Storage support watch feature

sameergn · August 29, 2022, 4:51pm

Does Integrated Storage support watch feature like provided by Consul?

maxb · August 29, 2022, 9:00pm

Your question is a bit confusing, as Consul watches are a user facing feature, whereas Vault’s Integrated Storage is an internal implementation detail that users of Vault do not directly interact with.

But, no, Vault doesn’t have a feature similar to this.

sameergn · August 29, 2022, 11:01pm

Thanks @maxb
The background to my question is as follows.

We want to watch for changes in vault secrets.

Suggestion is to use watch mechanism in the backing store used by vault to store secrets.

E.g. If consul is used to store vault secrets, then an HTTP endpoint can be configured to receive updates.

Since vault natively supports “Internal Raft based” storage, wanted to know if it provides any similar watch mechanism.

maxb · August 30, 2022, 6:48am

Ah, that makes sense.

I wouldn’t really recommend trying that with Consul, as it means giving ordinary users of Vault full access to the backing data - which, OK, is encrypted, still weakens the overall defence in depth.

In any case, no such similar approach is possible with Integrated Storage, which cannot be directly interacted with bypassing Vault at all.

Topic		Replies	Views
Sanity check with Consul Watch Consul	2	413	September 7, 2020
Consul supported versions with vault v1.9.2 Consul	1	133	September 18, 2023
How does the application know to use the updated secret within HashiCorp Vault? Vault	2	2779	August 21, 2020
Vault integrated storage with service discovery through consul Vault	0	225	February 4, 2022
Need to use watches for an use key value store consul Consul kv	5	3788	March 31, 2020

Does Integrated Storage support watch feature

Related topics