-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat: add support for Vault AppRole auth (#2)
For more details, see : https://developer.hashicorp.com/vault/docs/auth/approle#approle-auth-method Signed-off-by: thomasgouveia <[email protected]>
- Loading branch information
1 parent
6700e36
commit 72bd801
Showing
2 changed files
with
53 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,51 @@ | ||
package vaultauth | ||
|
||
import ( | ||
"context" | ||
"errors" | ||
|
||
"github.com/hashicorp/vault-client-go" | ||
"github.com/hashicorp/vault-client-go/schema" | ||
) | ||
|
||
var ( | ||
ErrRoleIdMustNotBeEmpty = errors.New("vault/auth/approle: the role-id must not be empty") | ||
ErrSecretIdMustNotBeEmpty = errors.New("vault/auth/approle: the secret-id must not be empty") | ||
) | ||
|
||
// approleStrategy defines the configuration that should be attached | ||
// to the command in order to configure the AppRole authentication. | ||
type approleStrategy struct { | ||
MountPath string `flag.name:"approle.mount-path" flag.default:"approle" flag.desc:"The path to the AppRole authentication method in your Vault."` | ||
RoleId string `flag.name:"approle.role-id" flag.desc:"The identifier of the role to use to perform the login."` | ||
SecretId string `flag.name:"approle.secret-id" flag.desc:"The secret identifier of the role to use to perform the login."` | ||
} | ||
|
||
// Ensure the implementation satisfies the interface. | ||
var ( | ||
_ vaultLoginStrategy = &approleStrategy{} | ||
) | ||
|
||
// login performs the login using the AppRole authentication method on Vault. | ||
func (s *approleStrategy) login(ctx context.Context, client *vault.Client) (*vault.ResponseAuth, error) { | ||
if s.RoleId == "" { | ||
return nil, ErrRoleIdMustNotBeEmpty | ||
} | ||
|
||
if s.SecretId == "" { | ||
return nil, ErrSecretIdMustNotBeEmpty | ||
} | ||
|
||
opts := []vault.RequestOption{vault.WithMountPath(s.MountPath)} | ||
req := schema.AppRoleLoginRequest{ | ||
RoleId: s.RoleId, | ||
SecretId: s.SecretId, | ||
} | ||
|
||
resp, err := client.Auth.AppRoleLogin(ctx, req, opts...) | ||
if err != nil { | ||
return nil, err | ||
} | ||
|
||
return resp.Auth, nil | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters