InfraBox icon indicating copy to clipboard operation
InfraBox copied to clipboard
verified publisher icon SAP

feat: allowing access to manage Vault from valid project tokens

Open agu3rra opened this issue 3 years ago • 5 comments

What this does

This change in openpolicyagent allows us to now use valid project tokens in order to manage Vault entries on Infrabox. Additionally, it also grants access to GET methods on /projects endpoints to facilitate project lookup from project name.

Why we need it

So that we can programmatically update Vault when, for example, we auto-rotate the secret-id value used to access it. Using personal accounts to do it (e.g.: LDAP) is not ok from a security perspective as any project admin would be able to retrieve that information and impersonate the owner of such accounts.

agu3rra avatar Oct 11 '22 19:10 agu3rra

@chengshifan Can you please review this? I am not sure if that's all it takes to grant the accesses we need to project tokens.

agu3rra avatar Oct 11 '22 19:10 agu3rra

Hi @agu3rra Let me test it in infrabox test server. It will take serval days since I have no capacity in Infrabox yet. Sorry for that. After testing, I will merge your code and then deploy to Infrabox production env.

chengshifan avatar Oct 13 '22 08:10 chengshifan

Hi @agu3rra Your PR's pipeline got a lot of errors. image

I create a PR to support project token in Vault API

chengshifan avatar Oct 18 '22 09:10 chengshifan

Hello @chengshifan ! Access to vault specific endpoints alone won't cut it. I also need GET on projects and projects/<project_id> to facilitate project id lookup from project name. I've added the changes from your PR to this one. Can you please test once again? Thank you!

agu3rra avatar Oct 18 '22 18:10 agu3rra

Hi @agu3rra image Still failed. How about set project id in each job's environment ? Just like below image

chengshifan avatar Oct 19 '22 07:10 chengshifan

Closing since it's been implemented here.

agu3rra avatar Oct 20 '22 14:10 agu3rra