Skip to content

Add prefix support to password policies#31959

Open
wahajahmed010 wants to merge 1 commit into
hashicorp:mainfrom
wahajahmed010:fix/31889-password-policy-prefix
Open

Add prefix support to password policies#31959
wahajahmed010 wants to merge 1 commit into
hashicorp:mainfrom
wahajahmed010:fix/31889-password-policy-prefix

Conversation

@wahajahmed010
Copy link
Copy Markdown

@wahajahmed010 wahajahmed010 commented May 12, 2026

Summary

This PR adds a prefix field to password policy configuration in HashiCorp Vault, allowing generated passwords to include a configurable prefix string.

Problem

Currently, Vault-generated passwords have no prefix, making them impossible to identify with secret scanning tools. Vault already uses prefixes for its own tokens (e.g., hvs. for secrets), so this follows an existing pattern.

Changes

  • vault/logical_system.go: Added Prefix field to passwordPolicyConfig struct; updated handlePoliciesPasswordSet to accept and store prefix; updated handlePoliciesPasswordGet to return prefix; updated handlePoliciesPasswordGenerate to prepend prefix to generated passwords
  • vault/dynamic_system_view.go: Updated generatePassword to prepend prefix when set
  • vault/logical_system_paths.go: Added prefix field to passwordPolicySchema
  • vault/logical_system_test.go: Added tests for prefix functionality (with prefix, empty prefix)

Usage Example

# Create a policy with prefix
vault write sys/policies/password/my-policy \
  prefix="vault." \
  policy="length=20 rule \"charset\" { charset=\"abcdefghij\" }"

# Generate a password (e.g., "vault.ajdifbhoeigjhrfgc")
vault read sys/policies/password/my-policy/generate

Files Changed

  • vault/logical_system.go (+9 lines)
  • vault/dynamic_system_view.go (+9 lines)
  • vault/logical_system_paths.go (+4 lines)
  • vault/logical_system_test.go (+102 lines)

Closes #31889

Add prefix support to password policies
f9fadfc 
This adds a 'prefix' field to password policy configuration, allowing
generated passwords to include a configurable prefix. This enables
secret scanning tools to detect Vault-generated passwords.

Fixes hashicorp#31889
@wahajahmed010 wahajahmed010 requested a review from a team as a code owner May 12, 2026 22:26
@vercel
Copy link
Copy Markdown

vercel Bot commented May 12, 2026

Someone is attempting to deploy a commit to the HashiCorp Team on Vercel.

A member of the Team first needs to authorize it.

@dosubot dosubot Bot added the size:S This PR changes 10-29 lines, ignoring generated files. label May 12, 2026
@hashicorp-cla-app
Copy link
Copy Markdown

hashicorp-cla-app Bot commented May 12, 2026

CLA assistant check

Thank you for your submission! We require that all contributors sign our Contributor License Agreement ("CLA") before we can accept the contribution. Read and sign the agreement

Learn more about why HashiCorp requires a CLA and what the CLA includes

Wahaj Ahmed seems not to be a GitHub user.
You need a GitHub account to be able to sign the CLA.
If you have already a GitHub account, please add the email address used for this commit to your account.

Have you signed the CLA already but the status is still pending? Recheck it.

@wahajahmed010
Copy link
Copy Markdown
Author

wahajahmed010 commented May 14, 2026

CLA has been signed. Ready for review!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@vivekpandeyHashi vivekpandeyHashi Awaiting requested review from vivekpandeyHashi vivekpandeyHashi is a code owner automatically assigned from hashicorp/vault

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

core/secret enhancement size:S This PR changes 10-29 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Support prefixes in password policies

1 participant

@wahajahmed010