vault-secrets-webhook icon indicating copy to clipboard operation
vault-secrets-webhook copied to clipboard

Published 20 hours ago verified publisher icon bank-vaults

add support for appRole authentication

Open josueCarvajal opened this issue 2 years ago • 2 comments

Problem statement

Due to business requirements we want to move away from kubernetes auth to use appRole authentication. So far, the implementation goes well with hashicorp vault and tools consuming an approle and using the hashicorp agent injector, but when trying to use the BanzaiCloud webhook we are facing a limitation with the banzai webhook that might make us re-plan our strategy of moving to this method.

Scenario details

These are our annotations for the banzai webhook

    vault.security.banzaicloud.io/vault-auth-method: "approle"

    vault.security.banzaicloud.io/vault-path: "approle" 

    vault.security.banzaicloud.io/vault-role: "my-app-role" 

    vault.security.banzaicloud.io/vault-addr: "https://dev-vault.dev-vault:8200" 

    vault.security.banzaicloud.io/vault-skip-verify: "true"

and the error we are getting is the following:

"Error making API request.\n\nURL: PUT https://dev-vault.dev-vault:8200/v1/auth/approle/login\nCode: 500. Errors:\n\n* failed to determine alias name from login request"

By digging around I was able to logIn via CLI using the following post resquest

curl \
    --request POST \
    --data '{"role_id":"1201c30b-..."}' \
    https://vault.domain/v1/auth/approle/login

But when using the following post request, using role_name instead of role_id

curl \ 
    --request POST \
    --data '{"role_name":"my-role-name"}' \
    https://vault.domain/v1/auth/approle/login

I get the same error, meaning that the webhook is building the post request in the same way

{"errors":["failed to determine alias name from login request"]}

Also I was looking at this annotation vault.security.banzaicloud.io/token-auth-mount but not sure how it works, when I've enabled it as a volume mount with the token the webhook is not injected, if this is a missing piece in this puzzle could you please guide me through an example in how to use it?

Versions used:

  • webhook: 1.19.1
  • vault-env: 1.19.1
  • vault: 1.15.0
  • eks: 1.27
  • cloud: aws

Questions

  • By checking the official doc, looks like the appRole auth is not in the list, is it supported?
vault.security.banzaicloud.io/vault-auth-method: The [Vault authentication method](https://developer.hashicorp.com/vault/docs/auth) to be used, one of ["kubernetes", "aws-ec2", "aws-iam", "gcp-gce", "gcp-iam", "jwt", "azure", "namespaced"]
  • If not supported, is there a plan to supported it?
  • Am I missing something in our implementation?

Thanks in advance!

josueCarvajal avatar Nov 16 '23 16:11 josueCarvajal

We currently don't support it, but we definitely should have this in place as well. Will add to backlog for future implementations, but we don't really have a deadline on when we can start working on this.

ramizpolic avatar Feb 09 '24 18:02 ramizpolic