upstream/vault
1
0
Fork 0
mirror of https://github.com/hashicorp/vault.git synced 2026-02-18 18:38:08 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions 5

Log transit rotations (#31420)

Browse source
This commit is contained in:
kpcraig 2025-08-08 18:11:16 -04:00 committed by GitHub
parent 1fafe2f4d5
commit 17e5b92d63
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 16 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

14
builtin/logical/transit/path_rotate.go
View file

@ -56,9 +56,12 @@ func (b *backend) pathRotateWrite(ctx context.Context, req *logical.Request, d *
Name: name,
}, b.GetRandomReader())
if err != nil {
// the error here will be something about "couldn't get policy")
b.Logger().Error("failed to rotate key on user request", "name", name, "error", err.Error())
return nil, err
}
if p == nil {
b.Logger().Error("failed to rotate key on user request", "name", name, "error", "key not found")
return logical.ErrorResponse("key not found"), logical.ErrInvalidRequest
}
if !b.System().CachingDisabled() {
@ -70,6 +73,7 @@ func (b *backend) pathRotateWrite(ctx context.Context, req *logical.Request, d *
var keyId string
keyId, err = GetManagedKeyUUID(ctx, b, managedKeyName, managedKeyId)
if err != nil {
b.Logger().Error("failed to rotate key", "name", name, "error", err.Error())
return nil, err
}
err = p.RotateManagedKey(ctx, req.Storage, keyId)
@ -79,10 +83,18 @@ func (b *backend) pathRotateWrite(ctx context.Context, req *logical.Request, d *
}
if err != nil {
b.Logger().Error("failed to rotate key on user request", "name", name, "error", err.Error())
return nil, err
}
return b.formatKeyPolicy(p, nil)
resp, err := b.formatKeyPolicy(p, nil)
if err != nil {
b.Logger().Error("failed to rotate key on user request", "name", name, "error", err.Error())
} else {
b.Logger().Info("succesfully rotated key on user request", "name", name)
}
// formatKeyPolicy returns a response even on error so be sure to return both.
return resp, err
}
const pathRotateHelpSyn = `Rotate named encryption key`

3
changelog/31420.txt Normal file
View file

@ -0,0 +1,3 @@
```release-note:improvement
secrets/transit: add logging on both success and failure of key rotation
```