david bush created BROOKLYN-277:
-----------------------------------
Summary: Add support for 'path within value' in
org.apache.brooklyn.core.config.external.vault
Key: BROOKLYN-277
URL: https://issues.apache.org/jira/browse/BROOKLYN-277
Project: Brooklyn
Issue Type: New Feature
Reporter: david bush
Vault stores credentials as key/value pairs under specific directories. It
also has a design feature whereby writing a new K/V to an existing location
overwrites any existing K/Vs. This means maintaining several sets of
credentials becomes difficult and risky as all have to be read, modified,
written back together (currently a manual job).
In order to address this in the simplest manner the proposed change is to allow
the path to be specified in `$brooklyn:external`.
Currently the path is set and a global key of 'vault' used in the credential:
```
brooklyn.external.vault.path=secret/amp
somecred.identity = $brooklyn:external("vault", "uniquekey")
```
Proposed:
```
brooklyn.external.vault.path=secret/amp
somecred.identity = $brooklyn:external("vault","path/within/vault/uniquekey")
```
e.g. `aws.identity = $brooklyn:external("vault","aws/username")`
So, AMP would read value of key `username` from location `secret/amp/aws`.
This should allow granular maintenance of credentials with much lower risk.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
