How to set specific key/value become invisible

emilyyujieli · August 27, 2022, 3:23am

Hi,
Backgroud
I am trying to make some specific key/value stored under kv secret engine become invisible.

Question
1.If it possible to make “copy” and “see” component disable in WebUI page? Please refer to the attachment

How to make abc’s value become visible meanwhile def’s value can not see.
l have create a EGP however it doesn’t work

import "strings"

# A list of valid keys for this path
param valid_keys default ["abc"]

is_valid_key = func() {
  # Print some debugging info
  print("Namespace path:", namespace.path)
  print("Request path:", request.path)
  print("Request data:", request.data)
  

  for request.data.data as key {
    if !(valid_keys contains key) {
      print(key, "not contained within", valid_keys)
      # Found an invalid key name - mark update as invalid
      return false
    }
  }
  return true
}
    
    
precond = rule {
  # Only apply the rule when writing a secret
   request.operation == "read" or request.operation == "list"
}

main = rule when precond {
  # Call function to determine validity of the keys in the request
  is_valid_key()
}

maxb · August 27, 2022, 9:34am

This isn’t possible, because as far as Vault is concerned, you have a single value that contains some JSON:

{
  "abc": "....",
  "def": "...."
}

All of Vault’s policy works on paths in your example you appear to have a path kv within a secret engine also called kv.

If you want to apply different access policies to different bits of data, they need to be stored at different paths in the KV secrets engine.

(The language here is quite awkward to use - the KV secrets engine has “keys” (paths) that contain “values” which are JSON and therefore contain (sub)keys and values of their own.)

emilyyujieli · August 29, 2022, 8:01am

Hi Maxb,

Thanks for your reply and advice.
Then l will try to store the key/value under another path and set it invisible.