I have had this request open for a while now and wanted to surface the idea here for discussion. Store user specified values in kv v2 secrets metadata · Issue #7905 · hashicorp/vault · GitHub
The idea being we want to enforce the addition of custom metadata or tags to each secret on a specific path. This would enable both sentinel policy and reporting goals we have. With kv-v2 we can grant read access to the metadata separate from the secret itself which is ideal.
Our current approach is to enforce a secret format with mandatory keys and values that are enforced by sentinel policy. The challenge with this is that the secret and the metadata are at the same path and controlled by the same policy.
I looked at requiring a second separate secret that holds only the needed metadata but the sentinel policy enforcement breaks down in that scenario.
Are there other approaches for enforcing metadata on a kv-v2 secret?
If this is a feature you would use a thumb up on the issue may help this get worked.
Thanks,
Blake