doctl icon indicating copy to clipboard operation
doctl copied to clipboard
verified publisher icon digitalocean

Support for getting do_token from Vault

Open wgebis opened this issue 4 years ago • 4 comments

What is the problem this feature would solve? Please describe. Now, doctl after auth init action, saves long-lived token for DO resources in a file system (config file).

Describe the solution you'd like doctl auth should allow bypass the local storage and get the desired token from Vault repository. In that case, short-lived Vaults tokens will allow to getting long-lived. Similar features are available in terms of shadowing secrets on well-known cloud providers as with the AWS, Azure etc.

So the desired scenario might look like:

  1. Call doctl auth init for getting Vault connection properties.
  2. Call vault login in order to login into Vault (e.g. via OIDC provider, GitHub etc.)
  3. Use doctl as usual, but in the background, doctl uses Vault client and honoured the default token from ~/.vault-token in terms of getting target DO token.

Additional context This suggestion improves significantly security in case of using doctl on the desktop env. It avoids storing DO tokens locally on fs.

wgebis avatar Dec 28 '20 16:12 wgebis

Thank you for the suggestion @wgebis! We welcome your contribution and will certainly consider implementing your suggestion.

scotchneat avatar Jan 25 '21 16:01 scotchneat

Can i try to contribute for this issue

Utsavk avatar May 23 '21 07:05 Utsavk

Hello @Utsavk ! Yes we are open to all PR's from the community, and will gladly help you get it merged :) thank you for the interest.

ChiefMateStarbuck avatar May 24 '21 14:05 ChiefMateStarbuck

thanks @ChiefMateStarbuck

Utsavk avatar May 24 '21 19:05 Utsavk