Add kv configuration or policy option disallowing users to "Download secret value".

[ipaqmaster]

Is your feature request related to a problem? Please describe.
This feature appeared a while ago. When I go to vault I'm reminded that authenticated users can now save secret data as a plaintext file. I'm not sure how this feature made it into vault /ui/ but giving users the ability to save any secret they want onto a potentially unmanaged and unencrypted machine with one click and no protection on said secret isn't wonderful. Monitoring the Network tab under Developer Tools reveals that the Vault web client doesn't reach out with another API call and instead just saves what it has in memory with JS.

Describe the solution you'd like

A per-kv-engine or policy option to disable the download button feature on kv secret values.

Describe alternatives you've considered

Removing this feature.

Explain any additional use-cases

I cannot think of any good reason for Vault to offer users the opportunity of exporting secrets as a plaintext files in their Downloads folder.

Additional context

Searching online returns no results relating to this secret download feature or any discussion about it. A little confusing while searching for ways to disable the feature or learn more about it such as the release it were added in or relevant documentation. It appears to be part of ui/lib/core/addon/components/masked-input.hbs with relevant commits 01d5d1d, 43258c2, 88ed074, b5e82f5 and even includes a line {{#if @allowDownload}} though I cannot seem to find documentation about this feature with my poor searching skills.

[ccapurso]

Hi @ipaqmaster, I have not used this feature directly but access to the underlying secret entry in the KV backend is always provided via policies defined within Vault. The UI does not have a means to bypass Vault's policy checks. It essentially just a client making requests on your behalf with the token provided in the login response. Does this context decrease your concerns?

[ipaqmaster]

Hi @ccapurso and thanks for your reply.

Sorry for the confusion - I don't mean to imply that the ui is doing anything special to save the data. I'm merely pointing out that pressing that save button makes no additional request to Vault for an opportunity to 403 the attempt. It just saves what has already been fetched earlier without the cluster knowing nor having a say in the data being saved locally by the client.

This was an observation on the topic of disabling or preventing the feature from being used. Its implementation appears impossible to disable as its an entirely client side /ui/ feature.

[ccapurso]

Oh, thank you for the clarification @ipaqmaster! In this case, the user has already been permitted to retrieve the raw secret data which is stored in the browser's memory. Having the ability to prevent users from saving the plaintext secret data on their computers seems like a useful enhancement. I will label this issue to account for that. An enhancement like this would require internal review to determine a best course of action. We are also welcome to reviewing contributions if someone from the community has the desire of providing a solution.

[hellobontempo]

The original request was here #6364

We did improve this functionality by adding a modal to confirm the download which prevents users from accidentally clicking the download icon #23260 (merged in v1.14.4)

A policy option is not possible here because the download action is not an API request to a separate endpoint. I'm going to close this issue, but if the modal does not satisfy your request and instead you would like a separate/admin configuration for this specific action please re-open this issue and I can update the title of the request. Thank you for filing this issue!

[Brado231]

I agree with the OP on this one.

It is good that you have added a confirmation modal to download the secret, but we need an option to disable this functionality in the GUI altogether. In my use case, this functionality is a recipe for disaster... we will end up with usernames and passwords scattered on local machines unencrypted all throughout our environment. Telling people not to use this functionality is not enough, as there will always be people who do it regardless. For us there are major security implications to this feature and I have not been able to upgrade ever since this functionality was introduced as a result.

Can we please have an option to disable this from the GUI completely?

[adrianmoisey]

+1

Removing the ability to download secrets will be nice to have. I know that if someone has access to the secret, you can't stop them from getting it. But making it easy for them to get secrets isn't ideal.

[ipaqmaster]

I'm not sure what the motivation for this download button feature was.

Maybe one-off passwords. But still, allowing a user to download it as plaintext seems entirely outside the scope of using Vault in the first place.

[Brado231]

100%.

My company will not allow me to upgrade while this functionality is present.

[hellobontempo]

Reopening due to additional requests for this. I'll bring it up in our next internal product meeting and give an update