-
Notifications
You must be signed in to change notification settings - Fork 24
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add Support for Static Account #107
Conversation
Co-authored-by: emily <[email protected]>
@lawliet89 thanks for working on this. This is one of the key features that we would love to see in Vault's GCP secret backend. |
@husunal It might be a while before this gets reviewed going by the usual timelines. In the meantime, you can actually compile this yourself and load it up into Vault as a plugin to use it. Process is a bit cumbersome though. See https://www.vaultproject.io/docs/internals/plugins I have a build for Linux AMD64 here but for a security product like this, I think it's better off if you can compile and verify it yourself. |
@lawliet89, thx for pushing that forward. Lovely feature that would perfectly fit CI/CD needs, having a static SA in the project with all needed permissions and you could get a (short lived) token for that account via Vault in the build pipelines. |
@lawliet89 100% agree with @peter-fe . Watching closely for this merge. |
@lawliet89 Yes, I'd like to review this one soon. Thank you for your work on it! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks carrying this forward, @lawliet89! Just started reviewing this and left some initial comments. I'll circle back for another review shortly.
Are you able to provide some Vault CLI usage examples of the feature? I was able to get most of the way there, but I had some trouble generating a service account key for a static account. Examples would be super helpful and valuable context for the PR.
Hi @austingebauer thanks for the review. I've cooked up a demo with Terraform on how you can configure a Vault server with a custom build of this plugin installed: https://github.com/lawliet89/vault-static-demo
I might need your help with some aspects of the PR as we go back and forth because:
|
- Remove unnecessary check - Fix description - Fix some inconsistencies
2f0f539
to
a60ef69
Compare
I've answered/addressed the review comments. Also ran the integration tests and everything looks OK. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
One more comment around the static account path, but otherwise looks good. Thanks a ton for picking this up!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good to me 👍 Thanks again for carrying this forward!
Did you happen to already prepare documentation for this feature? If not, I'd be happy to help with that contribution over in the Vault repo.
@austingebauer I've not prepared the documentation yet. @calvn I've renamed the prefix to Re-running the acceptance tests:
Also, due to timezone differences, please feel free to make minor changes to the PR to get it accepted. Don't have to wait for me to respond 12 hours later 😅 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks, @lawliet89. LGTM. I'm going to merge this now.
I'm happy to write the documentation for the feature. Also open to collaborating on it 👍
Co-authored-by: Emily Ye <[email protected]> Co-authored-by: Calvin Leung Huang <[email protected]> Co-authored-by: Austin Gebauer <[email protected]>
@austingebauer I've opened a draft PR to work on the documentation: hashicorp/vault#12027 Please feel free to make any edits. |
Thanks for doing that, @lawliet89! I'll work on the docs with you off of that branch. |
@calvn, @austingebauer can you give a rough estimate when this will be released? |
@peter-fe - This is targeted to be released in Vault 1.8 which should go out around the end of July. |
Overview
Fixes #60.
This is a cleanup of the original PR #67.
It adds support for Vault to use pre-created GCP Service Accounts and issue tokens/keys.
There are some scenarios where the environment is wary of allowing automated tools like Vault access to
x.setIamPolicy
permissions. This PR allows users to create these service accounts first, and then let Vault issue credentials.Related Issues/Pull Requests
Docs will be added to upstream Vault once the code is reviewed and merged in.
Contributor Checklist
[ ] Add relevant docs to upstream Vault repository, or sufficient reasoning why docs won’t be added yet
[x] Add output for any tests not ran in CI to the PR description (eg, acceptance tests)
[x] Backwards compatible