Feature request to add custom metadata to kv secrets

I have had this request open for a while now and wanted to surface the idea here for discussion. Store user specified values in kv v2 secrets metadata · Issue #7905 · hashicorp/vault · GitHub

The idea being we want to enforce the addition of custom metadata or tags to each secret on a specific path. This would enable both sentinel policy and reporting goals we have. With kv-v2 we can grant read access to the metadata separate from the secret itself which is ideal.

Our current approach is to enforce a secret format with mandatory keys and values that are enforced by sentinel policy. The challenge with this is that the secret and the metadata are at the same path and controlled by the same policy.

I looked at requiring a second separate secret that holds only the needed metadata but the sentinel policy enforcement breaks down in that scenario.

Are there other approaches for enforcing metadata on a kv-v2 secret?

If this is a feature you would use a thumb up on the issue may help this get worked.



@trodemaster Is this feature available now?

Yep! Was released with 1.9

This is great. One of the features teams have been asking for is the ability to tag “rotation date” and be able to filter by it so that they know when a secret is due to be rotated. It would be great if this could be a feature built-in but for now we’ll take custom metadata tags.

We are building out a system for scanning these metadata fields and doing things like notifying people it’s time to rotate secrets. Having the details in the metadata allows us to have the scanning process only access the metadata and not the actual secrets. I’m sure people will figure out a number of uses for the custom metadata.

This is a very useful improvement. Would like to see a small improvement to it though.

Please add the ‘json’ toggle to the metadata UI like you have for the secrets tab.