Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Respect WithWrappingToken for all secret ID's in approle auth #13241

Merged
merged 5 commits into from
Nov 23, 2021
Merged

Respect WithWrappingToken for all secret ID's in approle auth #13241

merged 5 commits into from
Nov 23, 2021

Conversation

averche
Copy link
Contributor

@averche averche commented Nov 22, 2021
edited
Loading

Background

When authenticating with vault via AppRole, the secret ID can be specified in one of 3 ways:

  • FromFile
  • FromEnv
  • FromString

If the secret ID happens to be a wrapping token, the option auth.WithWrappingToken() will let the client know to treat it as such. However, the current implementation will only respect auth.WithWrappingToken() if the secret ID is specified from a file (FromFile) and silently fails otherwise, which could be surprising to callers.

The rationale behind this was that the wrapping token should be provided through a trusted orchestrator and is typically written to a file. However, it is conceivable that the trusted orchestrator would write it to an environment variable instead.

Solution

This PR will respect the auth.WithWrappingToken() for all secret ID's (whether specified via FromFile, FromEnv or FromString)

@hashicorp-cla
Copy link

hashicorp-cla commented Nov 22, 2021
edited
Loading

CLA assistant check
All committers have signed the CLA.

@averche averche requested a review from digivava November 22, 2021 22:29
@vercel vercel bot temporarily deployed to Preview – vault-storybook November 22, 2021 23:30 Inactive
@vercel vercel bot temporarily deployed to Preview – vault November 22, 2021 23:30 Inactive
@vercel vercel bot temporarily deployed to Preview – vault November 22, 2021 23:31 Inactive
@vercel vercel bot temporarily deployed to Preview – vault-storybook November 22, 2021 23:31 Inactive
@vercel vercel bot temporarily deployed to Preview – vault November 23, 2021 16:35 Inactive
@vercel vercel bot temporarily deployed to Preview – vault-storybook November 23, 2021 16:35 Inactive
digivava
digivava approved these changes Nov 23, 2021
View reviewed changes
Copy link
Collaborator

@digivava digivava left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Awesome, thank you! Just one comment with something optional, but looks good to go otherwise.

api/auth/approle/approle.go Show resolved Hide resolved
api/auth/approle/approle.go Show resolved Hide resolved
@averche averche marked this pull request as ready for review November 23, 2021 17:48
@averche averche merged commit 83f9186 into main Nov 23, 2021
@averche averche deleted the respect-wrapping-token branch November 23, 2021 23:53
@peaceofthepai peaceofthepai added this to the 1.10 milestone Feb 25, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@digivava digivava digivava approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
1.10
Development

Successfully merging this pull request may close these issues.
4 participants
@averche @hashicorp-cla @digivava @peaceofthepai