hashicorp / vault-plugin-secrets-alicloud Goto Github PK
View Code? Open in Web Editor NEWDynamic secrets for Alibaba Cloud.
License: Mozilla Public License 2.0
Dynamic secrets for Alibaba Cloud.
License: Mozilla Public License 2.0
When the service has access to the AliCloud VPC network, it should prioritize getting STS credentials through the VPC network rather than accessing the sts endpoints through the public network.
Therefore, I think we should provide an opportunity to allow users to connect to VPC endpoints instead of brute-force hard-coding a public network endpoint.
vault write alicloud/role/direct-mail remote_policies=name:AliyunDirectMailFullAccess,type:System
Error writing data to alicloud/role/direct-mail: Error making API request.
URL: PUT https://rubick.dev.wwrkr.cn:8200/v1/alicloud/role/direct-mail
Code: 500. Errors:
* 1 error occurred:
* policy type is required in name:AliyunDirectMailFullAccess
However, the following command succeeded:
vault write alicloud/role/direct-mail remote_policies='name:AliyunDirectMailFullAccess,type:System' remote_policies='name:AliyunDirectMailReadOnlyAccess,type:System'
Success! Data written to: alicloud/role/direct-mail
I believe vault treats comma-separated string as a list. Take this line of code for example, in the first case, strPolicies
equals to ["name:AliyunDirectMailFullAccess", "type:System"]
, which is not desired.
My Vault client version is:
Vault v1.1.3 ('9bc820f700f83a7c4bcab54c5323735a581b34eb')
The plugin always requires that an access_key and secret_key be set due to this line:
https://github.com/hashicorp/vault-plugin-secrets-alicloud/blob/master/path_creds.go#L48
From reading the code, I believe credentials set in the environment would be used before the configured values, but I haven't tested this. Where this completely falls over is when attempting to use the recommended method of falling back to the credentials provided by an AliCloud ECS instance role.
Hello there,
I followed docs and wrote the policy-based like doc, and create a lease:
$ vault read alicloud/creds/policy-based
Key Value
--- -----
lease_id alicloud/creds/policy-based/HhFLFROWDeftRtwTJwtw5XuJ
lease_duration 768h
lease_renewable true
access_key LTAI4FtEqaL5JTy6hFvSdkAH
secret_key pPkGJMcxWV4I4JElfd19bt6rKtv6sx
$ vault read alicloud/role/policy-based
Key Value
--- -----
inline_policies [map[hash:8d5db9715fa1fd38c1609a65bf5a453d policy_document:map[Statement:[map[Action:[ram:CreateAccessKey ram:DeleteAccessKey ram:CreatePolicy ram:DeletePolicy ram:AttachPolicyToUser ram:DetachPolicyFromUser ram:CreateUser ram:DeleteUser sts:AssumeRole] Effect:Allow Resource:*]] Version:1]]]
max_ttl 0s
remote_policies <nil>
role_arn n/a
ttl 0s
When I revoked lease, the access key has been deleted successfully, but policies and user remained. Vault server showed error log:
2020-03-16T17:23:36.787+0800 [ERROR] expiration: failed to revoke lease: lease_id=alicloud/creds/policy-based/HhFLFROWDeftRtwTJwtw5XuJ error="failed to revoke entry: resp: (*logical.Response)(nil) err: secret is missing inline_policies internal data"
Which point to code line 141 in path_secrects.go:
// Inline policies are currently stored as remote policies, because they have been
// instantiated remotely and we need their name and type to now detach and delete them.
inlinePolicies, err := getRemotePolicies(req.Secret.InternalData, "inline_policies")
if err != nil {
// This shouldn't be part of the multierror because if it returns empty inline policies,
// then we won't go through the inlinePolicies loop and we'll think we're successful
// when we actually didn't delete the inlinePolicies we need to.
return nil, err
}
Have I done something wrong? Thanks.
we are use alicloud kms to auto unseal.so,we are have some ak/sk env in vault starup script.
but,if i use alicloud secret engine. alicloud/config ak/sk config not working.
I review some code for that plugin:
that define first find env config.that not great,in secret engine case,not need read env config,that ak/sk will defined in alicloud/config
vault-plugin-secrets-alicloud/clients/creds.go
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.