From 327ee6e979b1ecb0226974f8daa611ee03d746e7 Mon Sep 17 00:00:00 2001
From: Takashi Kajinami <kajinamit@oss.nttdata.com>
Date: Wed, 20 Mar 2024 00:17:28 +0900
Subject: [PATCH] vault: Hide values used for authentication

The following options are used for authentication with Vault, so should
be hidden from logs.

1) root_token_id
This is not actually an id but a token string

2) approle_role_id and approle_secret_id
These are used together to obtain token

Closes-Bug: #2058397
Change-Id: I000149b6c5017c9548db55ae2517405dc8325808
---
 castellan/key_manager/vault_key_manager.py | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/castellan/key_manager/vault_key_manager.py b/castellan/key_manager/vault_key_manager.py
index 8d907c89..78d8b313 100644
--- a/castellan/key_manager/vault_key_manager.py
+++ b/castellan/key_manager/vault_key_manager.py
@@ -45,10 +45,13 @@ _DEFAULT_VERSION = 2
 
 _vault_opts = [
     cfg.StrOpt('root_token_id',
+               secret=True,
                help='root token for vault'),
     cfg.StrOpt('approle_role_id',
+               secret=True,
                help='AppRole role_id for authentication with vault'),
     cfg.StrOpt('approle_secret_id',
+               secret=True,
                help='AppRole secret_id for authentication with vault'),
     cfg.StrOpt('kv_mountpoint',
                default=_DEFAULT_MOUNTPOINT,