Feature: Allow storage of AccessKeys in external secret manager (i.e. OpenBao, HashiCorp Vault)

[jandd]

Related to

Ansible (task execution)

Impact

security improvements

Missing Feature

It would be nice to be able to let semaphore use an external credential manager like OpenBao or HashiCorp Vault for secrets like SSH private keys, Ansible vault secrets and passwords. This would improve the security for the case that an attacker gets access to a backup of a machine running Semaphore UI. The attacker would not be able to use the credentials without access to the external secret manager.

Implementation

From my point of view the AccessKey struct in db/AccessKey.go needs an abstraction to retrieve the keys from an external secret manager or from the current implementation as a fallback. Configuration needs to be extended to configure the secret manager API endpoint as well as credentials (Token, Approle or potential other ways to authenticate against the secret manager).

Design

No response

[nicholasleejk]

To add on to the list, maybe cloud native secret managers like AWS Secrets Manager