3b0e793feb
In order to tighten the security around access to secrets stored in a Vault KV secrets backend, generate a secret_id for each accessing unit, using a response wrapping token which is passed over the relation to the consuming application. The consuming application will then use this token out-of-band of Juju to retrieve the secret_id associated with the AppRole ID directly from Vault. Add a new action 'refresh-secrets' to force a renewal of secret_id's and associated one-shot retrieval tokens across a deployment. A token is only issued when a new approle is created or when a refresh is initiated via the 'refresh-secrets' action. Change-Id: I2cd173514377d65542ea4fa67ccf700ea4b6ab89 |
||
---|---|---|
.. | ||
__init__.py | ||
test_lib_charm_vault.py | ||
test_reactive_vault_handlers.py | ||
test_utils.py |