vault icon indicating copy to clipboard operation
vault copied to clipboard
verified publisher icon hashicorp

Add AWS secrets engine policy templating support

Open adrien-f opened this issue 3 years ago • 8 comments

This change brings the possibility for users to configure templating of policies based on claims issued from auth sources.

This enables many use-cases like scoping CI/CD permissions based on Gitlab or Github JWT claims.

See #9934

Signed-off-by: Adrien Fillon [email protected]

adrien-f avatar Aug 04 '22 13:08 adrien-f

Thanks @norpol for the feedback 😄

adrien-f avatar Sep 02 '22 10:09 adrien-f

Hey @ccapurso do you think someone at Hashicorp could look into this pull request? I know Hashicorp is not super open to pull requests, but this is a great feature to have.

norpol avatar Oct 09 '22 08:10 norpol

Hey @calvn could you imagine reviewing this as well? I think it would bring a lot of value once merged. Kinda feels like partly overlapping with the request https://github.com/hashicorp/vault/pull/21741 here

norpol avatar Aug 12 '23 14:08 norpol

Hey there ;)

I'm able to rebase after the long weekend it if needed 😌

adrien-f avatar Aug 12 '23 15:08 adrien-f

📄 Content Checks

Updated: Wed, 20 Mar 2024 14:04:48 GMT

Found 1 error(s)

content/docs/secrets/aws.mdx

Position Description Rule
168:5-168:107 Unexpected fully-qualified link to developer.hashicorp.com: https://developer.hashicorp.com/vault/docs/concepts/policies#templated-policies. Replace with a relative path internal to Developer. Possibly: /vault/docs/concepts/policies#templated-policies. ensure-valid-link-format

digital-content-events[bot] avatar Mar 20 '24 14:03 digital-content-events[bot]

Greetings!

I still do believe this PR would improve the Vault product and help users correctly secure their CI/CD pipelines, is this something that could be reviewed 🙏 ?

adrien-f avatar Mar 20 '24 14:03 adrien-f

@adrien-f Perhaps you want to give your PR a try over at https://github.com/openbao/openbao, though I suppose checking in whether they can accept such thing already first might be good (they are on Matrix and have GitHub Discussions active).

norpol avatar Mar 20 '24 15:03 norpol

@adrien-f Perhaps you want to give your PR a try over at https://github.com/openbao/openbao, though I suppose checking in whether they can accept such thing already first might be good (they are on Matrix and have GitHub Discussions active).

Currently OpenBao does not have any AWS integrations, they are working on bringing it back. See https://github.com/openbao/openbao/issues/542

This means that sadly contributing this to OpenBao is not an option at this time.

archoversight avatar Sep 30 '24 21:09 archoversight