3

I'm totally new to Vault and what I want is to detect when a secret changes and execute some code in response. I've been googling for resources about how to do that but haven't found anything useful. From what I've read and learnt, I think the only way of achieving what I want is by implementing a custom secrets engine. Am I right? Do you know a better way of achieving what I want?

Harsh Manvar
  • 27,020
  • 6
  • 48
  • 102
beni0888
  • 1,050
  • 1
  • 12
  • 40
  • 1
    I've found the [issue#3687](https://github.com/hashicorp/vault/issues/3687) that tells this feature is still not available. If your application run on kubernetes you can check at the documentation about [sidecar containers](https://www.hashicorp.com/blog/injecting-vault-secrets-into-kubernetes-pods-via-a-sidecar). – Davide Madrisan Sep 13 '21 at 19:34

2 Answers2

2

There is no event option in the vault as of now, so on changes, we get notified it's natively changing the Key/value pairs.

i would recommend using the polling method if you have any such scenario with the vault.

Here is one nice CRD which also does the polling option and syncs the vault secret to Kubernetes secret.

This might useful for reference : https://github.com/DaspawnW/vault-crd

Harsh Manvar
  • 27,020
  • 6
  • 48
  • 102
1

There currently are no triggers that'll tell you when the secret has changed. If you're running kubernetes (sidecar) or using the Vault agent, this is minimized as the agent will auto-pull any new secrets down (configurable).

awm
  • 2,723
  • 2
  • 18
  • 26