Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

add support for appRole authentication #251

Open
josueCarvajal opened this issue Nov 16, 2023 · 1 comment
Open

add support for appRole authentication #251

josueCarvajal opened this issue Nov 16, 2023 · 1 comment
Labels
area/auth kind/feature Categorizes issue or PR as related to a new feature. lifecycle/keep Denotes an issue or PR that should be preserved from going stale.

Comments

@josueCarvajal
Copy link

josueCarvajal commented Nov 16, 2023
edited
Loading

Problem statement

Due to business requirements we want to move away from kubernetes auth to use appRole authentication.
So far, the implementation goes well with hashicorp vault and tools consuming an approle and using the hashicorp agent injector,
but when trying to use the BanzaiCloud webhook we are facing a limitation with the banzai webhook that might make us re-plan our strategy of moving to this method.

Scenario details

These are our annotations for the banzai webhook

    vault.security.banzaicloud.io/vault-auth-method: "approle"

    vault.security.banzaicloud.io/vault-path: "approle" 

    vault.security.banzaicloud.io/vault-role: "my-app-role" 

    vault.security.banzaicloud.io/vault-addr: "https://dev-vault.dev-vault:8200" 

    vault.security.banzaicloud.io/vault-skip-verify: "true"

and the error we are getting is the following:

"Error making API request.\n\nURL: PUT https://dev-vault.dev-vault:8200/v1/auth/approle/login\nCode: 500. Errors:\n\n* failed to determine alias name from login request"

By digging around I was able to logIn via CLI using the following post resquest

curl \
    --request POST \
    --data '{"role_id":"1201c30b-..."}' \
    https://vault.domain/v1/auth/approle/login

But when using the following post request, using role_name instead of role_id

curl \ 
    --request POST \
    --data '{"role_name":"my-role-name"}' \
    https://vault.domain/v1/auth/approle/login

I get the same error, meaning that the webhook is building the post request in the same way

{"errors":["failed to determine alias name from login request"]}

Also I was looking at this annotation vault.security.banzaicloud.io/token-auth-mount but not sure how it works, when I've enabled it as a volume mount with the token the webhook is not injected, if this is a missing piece in this puzzle could you please guide me through an example in how to use it?

Versions used:

  • webhook: 1.19.1
  • vault-env: 1.19.1
  • vault: 1.15.0
  • eks: 1.27
  • cloud: aws

Questions

  • By checking the official doc, looks like the appRole auth is not in the list, is it supported?
vault.security.banzaicloud.io/vault-auth-method: The [Vault authentication method](https://developer.hashicorp.com/vault/docs/auth) to be used, one of ["kubernetes", "aws-ec2", "aws-iam", "gcp-gce", "gcp-iam", "jwt", "azure", "namespaced"]
  • If not supported, is there a plan to supported it?
  • Am I missing something in our implementation?

Thanks in advance!
@josueCarvajal josueCarvajal changed the title appRole authentication is producing this error appRole authentication not working as expected Dec 5, 2023
@github-actions github-actions bot added the lifecycle/stale Denotes an issue or PR that has become stale and will be auto-closed. label Feb 4, 2024
@ramizpolic
Copy link
Member

We currently don't support it, but we definitely should have this in place as well. Will add to backlog for future implementations, but we don't really have a deadline on when we can start working on this.

@ramizpolic ramizpolic changed the title appRole authentication not working as expected add support for appRole authentication Feb 9, 2024
@ramizpolic ramizpolic added area/auth kind/feature Categorizes issue or PR as related to a new feature. and removed lifecycle/stale Denotes an issue or PR that has become stale and will be auto-closed. labels Feb 9, 2024
@github-project-automation github-project-automation bot moved this to 🆕 New in Project backlog Feb 9, 2024
@ramizpolic ramizpolic moved this from 🆕 New to 📋 Backlog in Project backlog Feb 9, 2024
@github-actions github-actions bot added the lifecycle/stale Denotes an issue or PR that has become stale and will be auto-closed. label Apr 14, 2024
@csatib02 csatib02 removed the lifecycle/stale Denotes an issue or PR that has become stale and will be auto-closed. label Apr 14, 2024
@github-actions github-actions bot added the lifecycle/stale Denotes an issue or PR that has become stale and will be auto-closed. label Jun 16, 2024
@csatib02 csatib02 removed the lifecycle/stale Denotes an issue or PR that has become stale and will be auto-closed. label Jun 16, 2024
@bank-vaults bank-vaults deleted a comment from github-actions bot Jun 16, 2024
@bank-vaults bank-vaults deleted a comment from github-actions bot Jun 16, 2024
@bank-vaults bank-vaults deleted a comment from github-actions bot Jun 16, 2024
@github-actions github-actions bot added the lifecycle/stale Denotes an issue or PR that has become stale and will be auto-closed. label Aug 18, 2024
@bank-vaults bank-vaults deleted a comment from github-actions bot Aug 18, 2024
@csatib02 csatib02 added lifecycle/keep Denotes an issue or PR that should be preserved from going stale. and removed lifecycle/stale Denotes an issue or PR that has become stale and will be auto-closed. labels Aug 18, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/auth kind/feature Categorizes issue or PR as related to a new feature. lifecycle/keep Denotes an issue or PR that should be preserved from going stale.
Projects
Project backlog
Status: 📋 Backlog
Milestone
No milestone
Development

No branches or pull requests
3 participants
@josueCarvajal @ramizpolic @csatib02