vault: Hide values used for authentication

The following options are used for authentication with Vault, so should be hidden from logs. 1) root_token_id This is not actually an id but a token string 2) approle_role_id and approle_secret_id These are used together to obtain token Closes-Bug: #2058397 Change-Id: I000149b6c5017c9548db55ae2517405dc8325808
2024-03-20 00:17:28 +09:00 · 2024-03-20 00:17:28 +09:00 · 327ee6e979
parent 8c89839e37
commit 327ee6e979
1 changed files with 3 additions and 0 deletions
--- a/castellan/key_manager/vault_key_manager.py
+++ b/castellan/key_manager/vault_key_manager.py
@ -45,10 +45,13 @@ _DEFAULT_VERSION = 2

 _vault_opts = [
    cfg.StrOpt('root_token_id',
+               secret=True,
               help='root token for vault'),
    cfg.StrOpt('approle_role_id',
+               secret=True,
               help='AppRole role_id for authentication with vault'),
    cfg.StrOpt('approle_secret_id',
+               secret=True,
               help='AppRole secret_id for authentication with vault'),
    cfg.StrOpt('kv_mountpoint',
               default=_DEFAULT_MOUNTPOINT,