[Backend] Add Expiration Management to Secret Permissions
Why are we doing this work
The aim of the issue is to Enhance OpenBao ACL policies by adding expired_at metadata for secret permissions and implementing runtime expiry validation during access attempts.
Things to be done:
- Add expired_at in the ACL policy's metadata.
- While providing access to secrets add an additional check to make sure the permissions are not expired.
Relevant links
Non-functional requirements
-
Documentation: -
Testing:
Implementation plan
- Add
expired_atin ee/lib/secrets_management/acl_policy_path.rb, extend AclPolicyPath to carryexpired_atand render it under metadata as anexpirationname to openBao attributes - Add a validation on
expired_atinSecretsManagement::SecretPermission - Tests
Verification steps
- Apply Rails-rendered policy to OpenBao → accepted without error.
- Policy with future expired_at → secret read succeeds.
- Policy with past expired_at → secret read denied (403 permission denied).
- Invalid timestamp format → OpenBao rejects policy.
- Existing policies without expired_at continue to work.
Edited by Dmytro Biryukov