approle secret-id accounting #31551
Description
Is your feature request related to a problem? Please describe.
A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
When issuing AppRole secret-ids, metadata can be attached, but there is no way to query or filter secret-ids by that metadata.
Today, the only workflow is:
- List all secret-id accessors for a role.
- Lookup each accessor.
- Filter client-side by metadata.
This is inefficient at scale and makes it hard to quickly answer questions like:
- Ex: Which secret-id was issued for
webserver1? - Ex: Which secret-ids belong to the
ci-pipeline?
Describe the solution you'd like
A clear and concise description of what you want to happen.
Proposed Solution
Add an API endpoint (or plugin support) to filter secret-ids by metadata.
Example:
GET /v1/auth/approle/role/<role_name>/secret-id/lookup-by-metadata?alias=webserver1
GET /v1/auth/approle/role//secret-id/lookup-by-metadata?cidr='192.168.15.15/24'
This would return all matching accessors and their details.
Describe alternatives you've considered
A clear and concise description of any alternative solutions or features you've considered.
- Client-side scripts to iterate and filter (inefficient).
- External index of secret-id metadata (adds complexity and risk of drift).
Explain any additional use-cases
If there are any use-cases that would help us understand the use/need/value please share them as they can help us decide on acceptance and prioritization.
- Ops teams identifying which secret-id belongs to which host (
webserver1,runner42, etc.). - Security teams auditing issued secret-ids by labels like
owner=ciorenvironment=staging. - Automation pipelines revoking credentials tied to a specific service.
Additional context
Add any other context or screenshots about the feature request here.