You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I have a use case where it would be ideal if there was some way to add new secrets to an existing secrets file that is encrypted. I know this is possible by decrypting the file then adding and then re-encrypting, but I am using Azure Keyvault and many folks who may need to have access to add new secret values will not have access to use the key in the vault to decrypt, so they cannot decrypt and re-encrypt all of the secrets.
Is this somehow possible today?
The text was updated successfully, but these errors were encountered:
@cdunford I think the only possible way would be to split the secrets file into two, one with the key that only admins have access to, and another with the key everyone has access to.
Not sure if this works with helm-secrets, but I remember that sops - the tool used by helm-secrets under the hood to enc/dec secrets - had the ability to use a dedicated key for each encrypted secrets file. So hopefully it just work.
Another way would be to enhance vals. It's the secrets manager embedded in Helmfile to turn any yaml values formatted like ref+<provider name>://id/of/the/secret/you/want/to/load into actual secrets values.
This way, you don't need to re-encrypt the secrets file to add/remove a single secret.
It doesn't support Azure KeyVault or a kind of secrets manager in Azure yet https://github.com/variantdev/vals#suported-backends so hopefully you could submit a pull request OR help me to implement/test the Azure provider for vals to support your usecase.
I am using the multiple secrets files approach currently and it works fine. My use case doesn't actually involve different keys. It's the same key for all secrets, it's just no one has access to use the key in the vault to decrypt, they can just use it to encrypt.
I wasn't aware of the other means to load secrets directly from the values. Is that documented somewhere (maybe I just missed it)?
I have a use case where it would be ideal if there was some way to add new secrets to an existing secrets file that is encrypted. I know this is possible by decrypting the file then adding and then re-encrypting, but I am using Azure Keyvault and many folks who may need to have access to add new secret values will not have access to use the key in the vault to decrypt, so they cannot decrypt and re-encrypt all of the secrets.
Is this somehow possible today?
The text was updated successfully, but these errors were encountered: