Use a builtin Secret Engines inside Custom Secrets Engines


I currently in the process of developing my own secrets engines. This engine will work very similarly to the SSH secrets engine which is builtin but will do a couple of other checks as well.

The tutorial mentions, that it is possible to extend other secret engines, but I did not find a way to do that.

My preferred way would be to just call the SSH engine and let it do it’s thing without me touching that. Sure, I could just copy the engine code into mine and integrate it that way, but I really don’t like this solution, as I would need to keep the code up to date.

I saw similar questions were posted before, though these are already more than 2 years ago and haven’t been answered yet.

I would really appreciate if someone has any idea how to solve this.

The way to extend a built-in secrets engine is to copy and extend the code.

Vault does not provide any way for one secret engine to internally invoke another - so the only way for one secret engine to call another is to call the Vault public API as a regular client would. This means lots of complication, as the custom secret engine now needs to be able to authenticate to Vault with its own credentials, which generally need wide-open access to call the target secret engine on behalf of every possible client.

Faced with these challenges, I suggest that forking the official secrets engine code, and accepting the need to keep it up to date, is the lesser evil.

1 Like

Also be aware that if you do fork/copy the code from Vault you will need to adhere to the license (which is MPL v2 I think), in particular you have to release the source code to anyone you distribute the plugin to (so if you choose to sell/distribute it the recipient is free to make their own changes and/or further distribute it as they wish).

Thanks for clarifying, I was kinda expecting this to be that way, but hoping it would be another way.
Seems like a bit of an odd plugin design in regards to security. But that’s probably a discussion for another topic :wink:

Thanks for the heads up. I’ll take a closer look at the license