Secrets management through vaults #2564

New issue

Open

opened 2026-02-28 02:59:06 -05:00 by deekerman · 0 comments

deekerman commented

2026-02-28 02:59:06 -05:00

Owner

Originally created by @vipasane on GitHub (Sep 7, 2023).

⚠️ Please verify that this feature request has NOT been suggested before.

I checked and didn't find similar feature request

🏷️ Feature Request Type

Other

🔖 Feature description

Transparent way to use (or synchronize) secrets such as usernames, passwords, connection strings, API keys and certificates between different vaults without the need to to have yet another copy of these values to be maintained manually locally. This store should be independent, agnostic on which node is used to run this probing task and therefore it should be rather tied to identity which is running that service(s)

Integrating services listed below would be great deal for attracting enterprise users:

HashiCorp Vault
Azure Key Vault
AWS Secrets Manager
GCP Secret Manager

Justification:
SREs rarely know or even should know production environment secrets, especially in they are automatically rotated.
Therefore there is a need to just pick up token string representing the secret from a list.

✔️ Solution

All the available secrets from single (or all available vault connections) is shown as list where user can select secret to be used. These secrets are refreshed from vaults periodically or even fetched when needed.

❓ Alternatives

Background service which will track changes in targeted (pre-configured) vaults and synchronizes changes in local encrypted cache.

📝 Additional Context

One practical example:
a .net way of tracking configuration changes https://learn.microsoft.com/en-us/azure/azure-app-configuration/reload-key-vault-secrets-dotnet

Originally created by @vipasane on GitHub (Sep 7, 2023). ### ⚠️ Please verify that this feature request has NOT been suggested before. - [X] I checked and didn't find similar feature request ### 🏷️ Feature Request Type Other ### 🔖 Feature description Transparent way to use (or synchronize) secrets such as usernames, passwords, connection strings, API keys and certificates between different vaults without the need to to have yet another copy of these values to be maintained manually locally. This store should be independent, agnostic on which node is used to run this probing task and therefore it should be rather tied to identity which is running that service(s) Integrating services listed below would be great deal for attracting enterprise users: - HashiCorp Vault - Azure Key Vault - AWS Secrets Manager - GCP Secret Manager Justification: SREs rarely know or even should know production environment secrets, especially in they are automatically rotated. Therefore there is a need to just pick up token string representing the secret from a list. ### ✔️ Solution All the available secrets from single (or all available vault connections) is shown as list where user can select secret to be used. These secrets are refreshed from vaults periodically or even fetched when needed. ### ❓ Alternatives Background service which will track changes in targeted (pre-configured) vaults and synchronizes changes in local encrypted cache. ### 📝 Additional Context One practical example: a .net way of tracking configuration changes https://learn.microsoft.com/en-us/azure/azure-app-configuration/reload-key-vault-secrets-dotnet