CLI changes for new mount tune config parameter allowed_managed_keys (#13255)

* CLI changes for new mount tune config parameter allowed_managed_keys * Correct allowed_managed_keys description in auth and secrets * Documentation update for secrets and removed changes for auth * Add changelog and remove documentation changes for auth * removed changelog * Correct the field description
2026-05-05 20:36:26 +02:00 · 2021-12-10 11:08:28 -06:00 · 2021-12-10 11:08:28 -06:00 · bcdc57fc00
commit bcdc57fc00
parent 14d2f08b0f
7 changed files with 49 additions and 1 deletions
--- a/command/commands.go
+++ b/command/commands.go
@ -116,6 +116,8 @@ const (
 	flagNameAllowedResponseHeaders = "allowed-response-headers"
 	// flagNameTokenType is the flag name used to force a specific token type
 	flagNameTokenType = "token-type"
+	// flagNameAllowedManagedKeys is the flag name used for auth/secrets enable
+	flagNameAllowedManagedKeys = "allowed-managed-keys"
 )

 var (
--- a/command/secrets_enable.go
+++ b/command/secrets_enable.go
@ -37,6 +37,7 @@ type SecretsEnableCommand struct {
 	flagSealWrap                  bool
 	flagExternalEntropyAccess     bool
 	flagVersion                   int
+	flagAllowedManagedKeys        []string
 }

 func (c *SecretsEnableCommand) Synopsis() string {
@ -209,6 +210,15 @@ func (c *SecretsEnableCommand) Flags() *FlagSets {
 		Usage:   "Select the version of the engine to run. Not supported by all engines.",
 	})

+	f.StringSliceVar(&StringSliceVar{
+		Name:   flagNameAllowedManagedKeys,
+		Target: &c.flagAllowedManagedKeys,
+		Usage: "Managed key name(s) that the mount in question is allowed to access. " +
+			"Note that multiple keys may be specified either by providing the key names " +
+			"as a comma separated string or by providing this option multiple times, " +
+			"each time with 1 key.",
+	})
+
 	return set
 }

@ -307,6 +317,10 @@ func (c *SecretsEnableCommand) Run(args []string) int {
 		if fl.Name == flagNameAllowedResponseHeaders {
 			mountInput.Config.AllowedResponseHeaders = c.flagAllowedResponseHeaders
 		}
+
+		if fl.Name == flagNameAllowedManagedKeys {
+			mountInput.Config.AllowedManagedKeys = c.flagAllowedManagedKeys
+		}
 	})

 	if err := client.Sys().Mount(mountPath, mountInput); err != nil {
--- a/command/secrets_enable_test.go
+++ b/command/secrets_enable_test.go
@ -113,6 +113,7 @@ func TestSecretsEnableCommand_Run(t *testing.T) {
 			"-passthrough-request-headers", "authorization,authentication",
 			"-passthrough-request-headers", "www-authentication",
 			"-allowed-response-headers", "authorization",
+			"-allowed-managed-keys", "key1,key2",
 			"-force-no-cache",
 			"pki",
 		})
@ -162,6 +163,9 @@ func TestSecretsEnableCommand_Run(t *testing.T) {
 		if diff := deep.Equal([]string{"foo,bar"}, mountInfo.Config.AuditNonHMACResponseKeys); len(diff) > 0 {
 			t.Errorf("Failed to find expected values in AuditNonHMACResponseKeys. Difference is: %v", diff)
 		}
+		if diff := deep.Equal([]string{"key1,key2"}, mountInfo.Config.AllowedManagedKeys); len(diff) > 0 {
+			t.Errorf("Failed to find expected values in AllowedManagedKeys. Difference is: %v", diff)
+		}

 	})

--- a/command/secrets_tune.go
+++ b/command/secrets_tune.go
@ -30,6 +30,7 @@ type SecretsTuneCommand struct {
 	flagAllowedResponseHeaders    []string
 	flagOptions                   map[string]string
 	flagVersion                   int
+	flagAllowedManagedKeys        []string
 }

 func (c *SecretsTuneCommand) Synopsis() string {
@ -137,6 +138,15 @@ func (c *SecretsTuneCommand) Flags() *FlagSets {
 		Usage:   "Select the version of the engine to run. Not supported by all engines.",
 	})

+	f.StringSliceVar(&StringSliceVar{
+		Name:   flagNameAllowedManagedKeys,
+		Target: &c.flagAllowedManagedKeys,
+		Usage: "Managed key name(s) that the mount in question is allowed to access. " +
+			"Note that multiple keys may be specified either by providing the key names " +
+			"as a comma separated string or by providing this option multiple times, " +
+			"each time with 1 key.",
+	})
+
 	return set
 }

@ -213,6 +223,10 @@ func (c *SecretsTuneCommand) Run(args []string) int {
 		if fl.Name == flagNameAllowedResponseHeaders {
 			mountConfigInput.AllowedResponseHeaders = c.flagAllowedResponseHeaders
 		}
+
+		if fl.Name == flagNameAllowedManagedKeys {
+			mountConfigInput.AllowedManagedKeys = c.flagAllowedManagedKeys
+		}
 	})

 	if err := client.Sys().TuneMount(mountPath, mountConfigInput); err != nil {
--- a/command/secrets_tune_test.go
+++ b/command/secrets_tune_test.go
@ -170,6 +170,7 @@ func TestSecretsTuneCommand_Run(t *testing.T) {
 				"-passthrough-request-headers", "authorization",
 				"-passthrough-request-headers", "www-authentication",
 				"-allowed-response-headers", "authorization,www-authentication",
+				"-allowed-managed-keys", "key1,key2",
 				"-listing-visibility", "unauth",
 				"mount_tune_integration/",
 			})
@ -216,6 +217,9 @@ func TestSecretsTuneCommand_Run(t *testing.T) {
 			if diff := deep.Equal([]string{"foo,bar"}, mountInfo.Config.AuditNonHMACResponseKeys); len(diff) > 0 {
 				t.Errorf("Failed to find expected values in AuditNonHMACResponseKeys. Difference is: %v", diff)
 			}
+			if diff := deep.Equal([]string{"key1,key2"}, mountInfo.Config.AllowedManagedKeys); len(diff) > 0 {
+				t.Errorf("Failed to find expected values in AllowedManagedKeys. Difference is: %v", diff)
+			}
 		})

 		t.Run("flags_description", func(t *testing.T) {
--- a/website/content/docs/commands/secrets/enable.mdx
+++ b/website/content/docs/commands/secrets/enable.mdx
@ -98,3 +98,8 @@ flags](/docs/commands) included on all commands.
 - `-allowed-response-headers` `(string: "")` - response header values that the secrets
  engine will be allowed to set. Note that multiple keys may be
  specified by providing this option multiple times, each time with 1 key.
+
+- `-allowed-managed-keys` `(string: "")` - Managed key name(s) that the mount
+  in question is allowed to access. Note that multiple keys may be specified
+  either by providing the key names as a comma separated string or by providing
+  this option multiple times, each time with 1 key.
--- a/website/content/docs/commands/secrets/tune.mdx
+++ b/website/content/docs/commands/secrets/tune.mdx
@ -2,7 +2,7 @@
 layout: docs
 page_title: secrets tune - Command
 description: |-
-  The "secrets tune" command tunes the configuration options for the secrets engine at the given PATH. 
+  The "secrets tune" command tunes the configuration options for the secrets engine at the given PATH.
 ---

 # secrets tune
@ -86,3 +86,8 @@ flags](/docs/commands) included on all commands.
 - `-passthrough-request-headers` `(string: "")` - request header values that will
  be sent to the secrets engine. Note that multiple keys may be
  specified by providing this option multiple times, each time with 1 key.
+
+- `-allowed-managed-keys` `(string: "")` - Managed key name(s) that the mount
+  in question is allowed to access. Note that multiple keys may be specified
+  either by providing the key names as a comma separated string or by providing
+  this option multiple times, each time with 1 key.