Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

AppRole auth: add support for 'secret_id_bound_cidrs' and 'token_bound_cidrs' #220

Open
synaptis opened this issue Feb 17, 2020 · 1 comment

Comments

@synaptis
Copy link

vault-ruby currently supports the 'bound_cidrs' option for the AppRole auth method.

The 'bound_cidrs' option is deprecated in favour of the 'secret_id_bound_cidrs' and 'token_bound_cidrs' options. Could support for these new options please be added?

The lack of support for these options is the likely cause of an issue we see with our custom Puppet types and providers leveraging the vault-ruby gem to write the config.

A Puppet manifest configuring an AppRole might look like this:

vault_approle { 'my_approle':
ensure          => 'present',
vault_address   => https://active.vault.service.consul:8200,
role_id         => 'my_approle',
options         => {
  'policies'              => ['default', 'my_approle_read'],
  'secret_id_bound_cidrs' => ['10.XX.XX.XX/32'],
  'token_bound_cidrs'     => ['10.XX.XX.XX/32'],
  'token_max_ttl'         => 300,
  'token_num_uses'        => 10,
  'token_ttl'             => 300,
},
require         => [
  Vault_auth['approle'],
  Vault_policy['my_approle_read'],
]
}

The issue we are seeing is that all AppRoles are created and work as expected but are reconfigured on each Puppet run, this is due to the subnet mask being stripped from the configured ‘token_bound_cidrs’ as shown in the Puppet run output below:

Notice: /Stage[main]/Profiles::Vault_configuration/Vault_approle[my_approle]/options: options changed {
  'policies' => ['default', 'my_approle_read'],
  'secret_id_bound_cidrs' => ['10.XX.XX.XX/32'],
  'token_bound_cidrs' => ['10.XX.XX.XX'],
  'token_max_ttl' => 300,
  'token_num_uses' => 50,
  'token_ttl' => 300
} to {
  'secret_id_num_uses' => 0,
  'token_num_uses' => 50,
  'token_ttl' => 300,
  'token_max_ttl' => 300,
  'policies' => ['default', 'my_approle_read'],
  'secret_id_bound_cidrs' => ['10.XX.XX.XX/32'],
  'token_bound_cidrs' => ['10.XX.XX.XX/32']
} (corrective)
@Mahendrasiddappa
Copy link

Having same issue running Vault enterprise behind CloudFlare proxy. The token_bound_cidrs and secret_id_bound_cidrs does not work because client request ends at proxy and vault does not check for "x-forwarded-ip"

can you please suggest a solution for this issue ?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants