Mass moving secrets to a new team: how?


In my company (MSP), we have a process to build clients’ projects. We have a “Build” team. When a build (deploying multiple VMs, hosting, configuration, etc.) is done, the project moves from the Build team to the “Run” team.

For a project, I can have multiple secrets (currently, only in a Kv-v2 store). Each secret for a project is in a dedicated “folder” (I know, it’s not a real folder).

When the project moves to the Run team, I need to hide all secrets to the Build team, and all secrets for this project must be visible to the Run team.

How can I achieve this? I have two policies, one for the Build team and one for the Run team.
Do I need to move (rename) the secrets folder to match a policy?
But it’s… “difficult” (I must rename multiple secrets). It must be simple.
Or a trick with policy + template?
Any idea for a simpler solution?

Thank you.

1 Like

From the Zero Trust Security model perspective, I’m not sure that it is a good idea to “move” the secrets. I would keep the secrets short-lived and regenerate for each stage.
To move the secrets config you can try this command: secrets move - Command | Vault | HashiCorp Developer

1 Like

Oh, I didn’t see there is a move command ! sorry.

I a agree. Moving secret is not a good solution. But I’m searching a tips to update policies without having a policy for each client/projects