-
Notifications
You must be signed in to change notification settings - Fork 535
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for alternative auth methods using a method-agnostic implementation #552
Conversation
pull updates from upstream
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@jtcressy I'm super excited about this PR. Thanks for submitting it. Looking forward to hearing your thoughts.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Well done. I ran the tests and everything is in order. The new code paths are hit. The docs are excellent. Just want to say a huge thank you for adding this.
💯
@jtcressy ... this is great work! Thank you for contributing. Do you know how this will interact with The use case is for human users to set variable role_id {
type = string
default = ""
}
variable secret_id {
type = string
default = ""
}
provider vault {
address = <some vault>
auth_login {
path = "auth/approle/login"
parameters = {
role_id = var.role_id
secret_id = var.secret_id
}
}
} ( cc @tyrannosaurus-becks ) |
Currently, the order of precedence is such:
note, Suggestions:
|
That was my plan B. It has the (small) downside of breaking our existing solution around Regardless, thank you for your work! |
Add support for alternative auth methods using a method-agnostic implementation
Hi, I decided to take a crack at #438 and I'm attempting to implement a method-agnostic authentication mechanism.
Additionally, this should still close #351, #428, and #346.
Use of this new config block overrides any token fetched from the token helpers or environment, including if you provide a token via the
token
provider argument.So far, I've only tested this with approle and userpass. In theory, all auth methods should work as long as they don't require anything complex. An acceptance test was only written for approle, so if we need to add coverage for other login methods anyone may feel free to do so.
My implementation introduces a new config block called
auth_login
:Some auth methods use parameters as part of the url, and those can just be included in the
path
argument:Acceptance tests have been ran against a local Vault Enterprise 1.1.5 premium server with
TF_ACC_ENTERPRISE=1
following the regexTestAcc.*ProviderConfigure
:Documentation included.
Again, I think I could've done more test coverage but this should at least validate this PR.