vault: Hide values used for authentication

The following options are used for authentication with Vault, so should be hidden from logs. 1) root_token_id This is not actually an id but a token string 2) approle_role_id and approle_secret_id These are used together to obtain token Closes-Bug: #2058397 Change-Id: I0650fd12e3f51fc4d829e0be3ab95cd8b3ee03ea
2024-03-20 00:24:17 +09:00 · 2024-03-20 00:24:17 +09:00 · 82e1782b39
commit 82e1782b39
parent b6edfda344
1 changed files with 3 additions and 0 deletions
--- a/barbican/plugin/vault_secret_store.py
+++ b/barbican/plugin/vault_secret_store.py
@ -28,10 +28,13 @@ DEFAULT_MOUNTPOINT = "secret"
 vault_opt_group = cfg.OptGroup(name='vault_plugin', title='Vault Plugin')
 vault_opts = [
    cfg.StrOpt('root_token_id',
+               secret=True,
               help='root token for vault'),
    cfg.StrOpt('approle_role_id',
+               secret=True,
               help='AppRole role_id for authentication with vault'),
    cfg.StrOpt('approle_secret_id',
+               secret=True,
               help='AppRole secret_id for authentication with vault'),
    cfg.StrOpt('kv_mountpoint',
               default=DEFAULT_MOUNTPOINT,