[Architecture Design for Rails+OpenBao] Audit logs for secrets manager
Overview
This ticket is for developing a design document (part of our architecture design) for streaming audit events from the secrets manager.
See conversation below about design goals: #470461 (comment 2520479333)
We aim to implement minimal audit log functionality for our Secrets Manager experiment using GitLab's existing audit logs system.
Requirements for Experiment
The audit logs must track:
- Creation of secrets
- Access to secrets
- Modification of secrets
- Deletion of secrets
Implementation Details
We will use Gitlab::Audit::Auditor
to track secrets-related actions:
def create_audit_event(secret, action)
audit_context = {
name: "#{action}_secret",
author: secret.created_by,
scope: secret.project || secret.group,
target: secret.environment,
message: "Secret #{action} by #{secret.created_by}"
}
::Gitlab::Audit::Auditor.audit(audit_context)
end
Key Actions | Data to Log |
---|---|
Creation | User, timestamp, secret name, environment |
Access | User, timestamp, secret name |
Modification | User, timestamp, secret name, changes |
Deletion | User, timestamp, secret name |
Next Steps
- Identify integration points in the secrets manager code
- Add audit hooks for create/read/update/delete operations
- Test audit log generation and display
Edited by 🤖 GitLab Bot 🤖