Hello! Please take a look to https://github.com/mozilla/sops/pull/623.
It is a pull request to Mozilla SOPS, a tool for encrypting values in JSON and YAML files, implementing an option to encrypt data using Vault Transit keys.
Me and SOPS maintainer Adrian have a discussion about unique resource identifier for Vault secrets, particularly Transit keys.
The question is, what is the better way to specify transit key?
In my opinion, HTTP URI like
http://localhost/v1/transit/keys/mykey is not actually resource identifier for the key itself, instead, it is an API method identifier. Also it can be ambiguous in some cases. So I suggested to specify Vault URI, backend mount path and key name as different parameters.
Adrian considers key URI shoud be represented as single string to unify with other key types (AWS ARN or GCP KMS URI).
PR needs Vault maintainers advice. Thanks in advance.