docurated / concourse-vault-resource Goto Github PK

Hello,

I looking for a way to use this resource in a shared CI.
For example, I have teamA which is the customerA and teamB which is the customerB.

As they are executing their pipelines on the same pool of worker, the ec2 auth is not really secured as they share the same certificate/bound_ami/wathever.

I would like to avoid that my customerA try to replace the A with B and gain the access to all credentials of my other customer.

I was thinking to this backend : https://www.vaultproject.io/docs/auth/approle.html

Any idea ?

Thanks

Hello,

We hit an issue when vault resource is used in few pipelines, it's creating a lot of new versions :

concourse=> select count(id) from  versioned_resources ; 
  count  
---------
 2783265
(1 row)

concourse=> select count(id) from  versioned_resources where type='vault'; 
  count  
---------
 2741569
(1 row)

concourse=> select count(id) from  versioned_resources where type!='vault'; 
 count 
-------
 41699
(1 row)

As you can see, it's populating a bit too much the database and overload it.
I think it should create a new version when vault is really used, not on every check.
Any idea how could we improve this ? Maybe a simple echo [] would be enough as we don't really need to have version/triggering on this part.

Thanks

Hello @hexedpackets
Can you provide an example how you use the secret that has been stored on the disk please ?

I guess you are doing an output on the task to export the folder ?

Then you have custom task with jq to get the string wanted ?
I would like to use it for the terraform module to get the aws access_key and secret_key fields.

Thanks

Hello,

Thanks for this resource. I'm trying to use it, but it seems that I can't use my specific vault url :

resource_types:
- name: vault-image
  type: docker-image
  source:
    repository: docurated/concourse-vault-resource

resources:
- name: vault
  type: vault-image
  source:
    uri: https://vault.mycompany.io:8200
    role: concourse
    nonce: thisisasecretnonce

jobs:
  - name: Deployment
    serial: true
    disable_manual_trigger: false
    plan:
      - get: vault
        params:
          paths:
            - customer/aws

It produces this error on concourse :

INFO: Reading secrets from: customer/aws
Error writing data to auth/aws-ec2/login: Put https://vault.service.consul:8200/v1/auth/aws-ec2/login: dial tcp: lookup vault.service.consul on 10.100.0.42:53: no such host
ERROR: No token retrieved
Error reading secret/customer/aws: Get https://vault.service.consul:8200/v1/secret/customer/aws: dial tcp: lookup vault.service.consul on 10.100.0.42:53: no such host

Have you an idea why it fails to read my source ?
I'm using concourse 2.2.1

Thanks

If a token is specified is invalid/missing then the call obviously fail, but seem to return 0 instead of an error, so the pipeline continue to run.

INFO: Reading secrets from: secret/test/ssh
Error writing data to auth/approle/login: Error making API request.

URL: PUT https://vault.test.io/v1/auth/approle/login
Code: 400. Errors:

* failed to validate SecretID: invalid secret_id "9824dcfe-xxxxxxxxxxxxxxxxxx"
ERROR: No token retrieved
Error reading secret/test/ssh: Error making API request.

URL: GET https://vault.test.io/v1/secret/test/ssh
Code: 400. Errors:

* missing client token

By any logic it should indeed be provided, but wasn't here due to a typo.
I think the faulty lines are the following: https://github.com/Docurated/concourse-vault-resource/blob/master/assets/common.sh#L4-L5

Because of the pipe it can hide errors, that should have exited with the -e flag set. E.g.:

$ cat test.sh
#!/bin/bash

set -e

source source.sh

echo "Test: end"

$ cat source.sh
#!/bin/bash

VAR=$(curl -s https://test.test/ -m 1 | tr -d '\n')
if [ -z "$VAR" ]; then
	echo "Source: Something wrong happened"
fi
echo "Source: end"

$ ./test.sh && echo "=> Success" || echo "=> Fail"
Source: Something wrong happened
Source: end
Test: end
=> Success

A way of fixing this would be to add whether a return 1 (logical) or do an exit 1 in the if checking the content of variables. The return would trigger the same behavior of exit as the return due to the set -e flag here: https://github.com/Docurated/concourse-vault-resource/blob/master/assets/in#L3
Or could be solved by splitting the calls with pipelines into several.

I believe similar problem could happen in https://github.com/Docurated/concourse-vault-resource/blob/master/assets/common.sh#L16-L18 as well.