certificates icon indicating copy to clipboard operation
certificates copied to clipboard
verified publisher icon smallstep

Vault RA mode supports AWS auth method

Open leonweecs opened this issue 1 year ago • 4 comments

Hello!

  • Vote on this issue by adding a 👍 reaction
  • If you want to implement this feature, comment to let us know (we'll work with you on design, scheduling, etc.)

Issue details

Currently, the Vault RA mode of step-ca only supports approle and kubernetes auth methods.

We would like to add support for AWS auth method.

Why is this needed?

At the moment, if we are using step-ca in Vault RA mode and not hosting it in kubernetes, the only way to authenticate to Vault is with approle.

approle auth method is considerably more complicated to implement right compared to platform identity auth (cloud provider IAM roles, Kubernetes service accounts, etc.).

In fact, Hashicorp recommends going with platform identity whenever possible, and if not, then approle.

Applications authenticating through the platform is best, but not every platform has Vault auth integration. You might be in a cloud without any authentication plugin for Vault, or you might be using bare metal. Fortunately, Vault has an auth method that can give you many of the advantages of platform-based authentication even without native platform integration: AppRole lets you build a trusted broker for your applications easily and effectively. (Source)

Notes

I am working on a PR to implement this.

leonweecs avatar Jul 30 '24 23:07 leonweecs

Feel free to assign this to me and I will be raising a PR soon.

leonweecs avatar Jul 30 '24 23:07 leonweecs

Hi @leonweecs, we are willing to merge AWS or other major cloud authentication in our vault CAS implementation. I've been looking a bit into it, and it looks quite straightforward.

In general, a proper PR would be implemented in a new package, github.com/smallstep/certificates/cas/vaultcas/auth/aws, in a similar way as kubernetes and approle are. A new AuthOptions struct will contain specific configuration options for Vault, like role, and for AWS, like region. Although you can set some of the AWS credentials like accessKeyId or secretAccessKey as environment variables, it probably makes sense to be able to use the custom authOptions to encode those. You should add unit tests, too, as much as possible.

Then, you should write some documentation in the PR so we can integrate it in https://github.com/smallstep/docs, although you can instead add a PR there.

I'll assign this to you. Let me know if you have any questions.

maraino avatar Aug 06 '24 22:08 maraino

Hi @maraino thanks for the pointers and apologies for the delay in PR, I am still waiting for approval from my company's legal team to sign the CLA.

It was mentioned in the Individual CLA that there is potentially a Corporate CLA (which is preferable for us), any chance you can forward/link that to me? I've also raised a support request regarding this from the official website.

leonweecs avatar Aug 08 '24 22:08 leonweecs

@leonweecs Hi I will raise this with my team next week. The people who can help me with that are on DEFCON right now.

maraino avatar Aug 09 '24 19:08 maraino

Hi @maraino, I have raised a PR for this, do you mind having a look when you are available?

leonweecs avatar Aug 28 '24 23:08 leonweecs