Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add the ability to generate tokens from AWS auth backend. #28

Merged
merged 2 commits into from
Nov 13, 2017

Conversation

paddycarver
Copy link
Contributor

Add the vault_aws_auth_backend_login resource, which manages a "login",
basically a token session. Ideally, this would be a data source that
would generate a token on every read, and that's how the implementation
started. However, because the EC2 instance auth method only allows a
single authentication per host for a set amount of time, the refresh
cycle made this useless as a data source--an API error would be thrown
on every subsequent plan until the instance's identity was removed from
the whitelist. Which isn't ideal.

So instead this became a resource, so it could manage the requisite
state (namely, the nonce) that is needed to reissue tokens to an
instance that is already present in the whitelist. I opted to use the
Read method to do the actual token creation, rather than in the Create
function, to make this work essentially like a data source, issuing a
new token on every call. The plus side of this is that the resource
"just works". This could also be managed more like a typical resource,
with the Create function creating the token, but due to limitations in
the API, we can't read all the information about a token back, so the
usefulness of that approach is more limited.

Testing of this is weird, largely because Vault requires an EC2 instance
be actually running to issue tokens on its auth info. And access to
EC2's metadata server is needed, as well. Rather than trying to stand up
EC2 instances and SSH into them as part of the tests, the tests that
require the metadata server are skipped if the metadata server is
unavailable.

Add the vault_aws_auth_backend_login resource, which manages a "login",
basically a token session. Ideally, this would be a data source that
would generate a token on every read, and that's how the implementation
started. However, because the EC2 instance auth method only allows a
single authentication per host for a set amount of time, the refresh
cycle made this useless as a data source--an API error would be thrown
on every subsequent plan until the instance's identity was removed from
the whitelist. Which isn't ideal.

So instead this became a resource, so it could manage the requisite
state (namely, the nonce) that is needed to reissue tokens to an
instance that is already present in the whitelist. I opted to use the
Read method to do the actual token creation, rather than in the Create
function, to make this work essentially like a data source, issuing a
new token on every call. The plus side of this is that the resource
"just works". This could also be managed more like a typical resource,
with the Create function creating the token, but due to limitations in
the API, we can't read all the information about a token back, so the
usefulness of that approach is more limited.

Testing of this is weird, largely because Vault requires an EC2 instance
be actually running to issue tokens on its auth info. And access to
EC2's metadata server is needed, as well. Rather than trying to stand up
EC2 instances and SSH into them as part of the tests, the tests that
require the metadata server are skipped if the metadata server is
unavailable.
Copy link
Contributor

@catsby catsby left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍 1 typo in the docs I think

* `nonce` - (Optional) The unique nonce to be used for login requests. Can be
set to a user-specified value, or will contain the server-generated value
once a token is issued. EC2 instances can only acquire a single token until
the whitelist is tidied again unless they keep track of this nonce.e
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Extra e here I think, nonce.e

@paddycarver paddycarver merged commit d200767 into master Nov 13, 2017
@tyrannosaurus-becks tyrannosaurus-becks deleted the paddy_aws_auth_backend_login branch February 16, 2019 00:21
dandandy pushed a commit to dandandy/terraform-provider-vault that referenced this pull request Jun 17, 2021
…th_backend_login

Add the ability to generate tokens from AWS auth backend.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants