From c1c7c9c7734fc8cca33b8508fc22f296a2257c00 Mon Sep 17 00:00:00 2001
From: Barnaby Keene <accounts@southcla.ws>
Date: Wed, 15 Jul 2020 23:53:38 +0100
Subject: [PATCH] don't log secrets even with debug logging enabled (#71)

---
 secret/vault/vault.go | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/secret/vault/vault.go b/secret/vault/vault.go
index 24d31d7..9a0eabd 100644
--- a/secret/vault/vault.go
+++ b/secret/vault/vault.go
@@ -87,7 +87,7 @@ func (v *VaultSecrets) GetSecretsForTarget(name string) (map[string]string, erro
 	}
 
 	zap.L().Debug("found secrets in vault",
-		zap.Any("secret", secret))
+		zap.Strings("secret", keys(env)))
 
 	return env, nil
 }
@@ -152,6 +152,13 @@ func kvToMap(version int, data map[string]interface{}) (env map[string]string, e
 	return
 }
 
+func keys(m map[string]string) (k []string) {
+	for x := range m {
+		k = append(k, x)
+	}
+	return
+}
+
 // because Vault has no way to know if a kv engine is v1 or v2, we have to check
 // for the /config path and if it doesn't exist, attempt to LIST the path, if
 // that succeeds, it's a v1, if it doesn't succeed, it *might still* be a v1 but