Secrets Manager: Add "Read value" permission to the secrets permissions UI
Problem
Non-CI/CD secret access (#594090) adds a new read_value permission to the secrets permission model so a principal can read a secret's actual value (not just its metadata). The backend wiring lands in #594090, but users cannot grant the new permission until the UI exposes it.
Until then, the access-token endpoint works at the backend / API level but is not usable in practice, because there is no way for an Owner to grant read_value through the UI.
Background: how UI permissions map to OpenBao
Each permission row a user sets for a principal becomes an ACL policy in OpenBao. Each option toggles a capability on a path. There are two paths: a metadata path and a value (data) path. The metadata-vs-value distinction is exactly which path the read capability lands on.
| UI permission | Action (model) | OpenBao capability | Path |
|---|---|---|---|
| Read metadata (today's "Read") | read_metadata |
read |
metadata path |
| Write | write |
create + update |
value path |
| Delete | delete |
delete |
value path |
| Read value (new) | read_value |
read |
value path |
Proposal
- Expose the new
read_valueaction in the secrets permission GraphQL mutations and types (permissions enum, create/update permission, permission type). - Add a "Read value" option to the secrets permission UI, for the same principal types already supported: a specific User, a Role (Reporter and up), a custom Member Role, or a Group.
- Clarify the labeling so "Read value" (the actual secret value) is clearly distinct from the existing read-metadata permission. Coordinate the exact wording with technical writing. Today's "Read" should be relabeled to "Read metadata".
- Enforce in the UI that "Read value" requires read-metadata (you cannot read a value for a secret you cannot otherwise see). Additive, not a replacement.
Permission action transition (read -> read_metadata)
The backend MR (#594090) lands the action change additively, so it can ship first without a lockstep deploy:
- Backend accepts both
readandread_metadataon input (aliases, both mean read-on-metadata-path). - Backend readback keeps emitting
readfor now, so the current UI is untouched. - Backend adds
read_value.
This frontend MR completes the migration (FE and BE ship together, so the deprecation removal happens here, not a separate follow-up):
- Send and display
read_metadatainstead ofread. - Add
read_valuehandling. - Remove the deprecated
read: stop sending it, flip backend readback to emitread_metadata, and drop thereadinput alias.
Scope
- In scope: GraphQL exposure of
read_value, the secrets permission UI changes, and completing theread->read_metadatamigration (including removing the deprecatedreadalias). - Out of scope: the permission model, OpenBao policy wiring, the auth role, and the endpoint (all in #594090). This issue does not block #594090 from merging; it makes the feature usable for end users.
Related
- #594090 (endpoint + backend wiring, where
read_valueand theread_metadataalias are defined)