Add the ability to generate tokens from AWS auth backend. #28
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add the vault_aws_auth_backend_login resource, which manages a "login", basically a token session. Ideally, this would be a data source that would generate a token on every read, and that's how the implementation started. However, because the EC2 instance auth method only allows a single authentication per host for a set amount of time, the refresh cycle made this useless as a data source--an API error would be thrown on every subsequent plan until the instance's identity was removed from the whitelist. Which isn't ideal. So instead this became a resource, so it could manage the requisite state (namely, the nonce) that is needed to reissue tokens to an instance that is already present in the whitelist. I opted to use the Read method to do the actual token creation, rather than in the Create function, to make this work essentially like a data source, issuing a new token on every call. The plus side of this is that the resource "just works". This could also be managed more like a typical resource, with the Create function creating the token, but due to limitations in the API, we can't read all the information about a token back, so the usefulness of that approach is more limited. Testing of this is weird, largely because Vault requires an EC2 instance be actually running to issue tokens on its auth info. And access to EC2's metadata server is needed, as well. Rather than trying to stand up EC2 instances and SSH into them as part of the tests, the tests that require the metadata server are skipped if the metadata server is unavailable.
catsby
approved these changes
Nov 10, 2017
| * `nonce` - (Optional) The unique nonce to be used for login requests. Can be | ||
| set to a user-specified value, or will contain the server-generated value | ||
| once a token is issued. EC2 instances can only acquire a single token until | ||
| the whitelist is tidied again unless they keep track of this nonce.e |
dandandy
pushed a commit
to dandandy/terraform-provider-vault
that referenced
this pull request
Jun 17, 2021
…th_backend_login Add the ability to generate tokens from AWS auth backend.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Add the vault_aws_auth_backend_login resource, which manages a "login",
basically a token session. Ideally, this would be a data source that
would generate a token on every read, and that's how the implementation
started. However, because the EC2 instance auth method only allows a
single authentication per host for a set amount of time, the refresh
cycle made this useless as a data source--an API error would be thrown
on every subsequent plan until the instance's identity was removed from
the whitelist. Which isn't ideal.
So instead this became a resource, so it could manage the requisite
state (namely, the nonce) that is needed to reissue tokens to an
instance that is already present in the whitelist. I opted to use the
Read method to do the actual token creation, rather than in the Create
function, to make this work essentially like a data source, issuing a
new token on every call. The plus side of this is that the resource
"just works". This could also be managed more like a typical resource,
with the Create function creating the token, but due to limitations in
the API, we can't read all the information about a token back, so the
usefulness of that approach is more limited.
Testing of this is weird, largely because Vault requires an EC2 instance
be actually running to issue tokens on its auth info. And access to
EC2's metadata server is needed, as well. Rather than trying to stand up
EC2 instances and SSH into them as part of the tests, the tests that
require the metadata server are skipped if the metadata server is
unavailable.