Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Overwriting a secret resets permissions? #49

Closed
dancmeyers opened this issue Jul 29, 2019 · 4 comments
Closed

Overwriting a secret resets permissions? #49

dancmeyers opened this issue Jul 29, 2019 · 4 comments

Comments

@dancmeyers
Copy link

This may be related to #40, I'm not sure. Regardless, I'm experiencing the following:

  1. Get data to be stored in secret(s) (in my case, the TLS private key and certificate for a DNS entry)
  2. Create secrets
  3. Grant the relevant service account for the hosts which the DNS resolves to access to those secrets, via berglas grant
  4. Rotate the secrets (i.e. TLS cert is due to expire, so generate a new private key and get a new cert for it, then use berglas create to overwrite the existing key/cert with the new ones)
  5. All 'grants' for the objects in GCS are missing, and have to be reissued

When an object already exists and I have the permissions to overwrite it with a new version I would expect the IAM permissions created as a result of the prior berglas grant call to be retained.

If this is an explicit expectation of create for security purposes or similar I would expect the edit functionality described in #40 to retain grants (I didn't manage to spot anything in the modifications of that PR that does this).

Or have I somehow managed to create a completely barmy GCS bucket that is behaving in an unexpected way? I tested using gsutil cp and verified that that is also not retaining the object permissions or metadata when a version of the object already exists, which surprised me.
@sethvargo
Copy link
Member

Hi @dancmeyers

Do you have versioning enabled on the bucket?

@maroux
Copy link
Contributor

maroux commented Jul 29, 2019

@dancmeyers Ah, that's an interesting bug. I believe GCS is designed to completely overwrite existing objects rather than updating the data. I ran into this with #40 (had to set metadata again even though I only wanted to modify the object data). I'll add a fix for this in #48 or a follow-up PR.

maroux added a commit to maroux/berglas that referenced this issue Jul 29, 2019
@maroux
Preserve ACL. Fixes GoogleCloudPlatform#49
ffe19c0
@maroux maroux mentioned this issue Jul 29, 2019
Closed
@dancmeyers
Copy link
Author

Hi @sethvargo,

Initially I didn't, but I wondered if that was part of the problem so I turned it on and tried again. The behaviour was the same.

@sethvargo
Copy link
Member

@maroux FWIW, I had to make some changes to your implementation. IAM is eventually consistent, so I needed to add some retry logic or else risk getting a 412 half the time.

@lock lock bot locked as resolved and limited conversation to collaborators Oct 29, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@sethvargo @maroux @dancmeyers