Skip to content

[Architecture Design for Rails+OpenBao] Audit logs for secrets manager

Overview

This ticket is for developing a design document (part of our architecture design) for streaming audit events from the secrets manager.

See conversation below about design goals: #470461 (comment 2520479333)

We aim to implement minimal audit log functionality for our Secrets Manager experiment using GitLab's existing audit logs system.

Requirements for Experiment

The audit logs must track:

  1. Creation of secrets
  2. Access to secrets
  3. Modification of secrets
  4. Deletion of secrets

Implementation Details

We will use Gitlab::Audit::Auditor to track secrets-related actions:

def create_audit_event(secret, action)
  audit_context = {
    name: "#{action}_secret",
    author: secret.created_by,
    scope: secret.project || secret.group,
    target: secret.environment,
    message: "Secret #{action} by #{secret.created_by}"
  }

  ::Gitlab::Audit::Auditor.audit(audit_context)
end
Key Actions Data to Log
Creation User, timestamp, secret name, environment
Access User, timestamp, secret name
Modification User, timestamp, secret name, changes
Deletion User, timestamp, secret name

Next Steps

  1. Identify integration points in the secrets manager code
  2. Add audit hooks for create/read/update/delete operations
  3. Test audit log generation and display
Edited by 🤖 GitLab Bot 🤖