docurated / concourse-vault-resource Goto Github PK
View Code? Open in Web Editor NEWConcourse resource to fetch secrets from Vault on an EC2 instance.
License: MIT License
Concourse resource to fetch secrets from Vault on an EC2 instance.
License: MIT License
Hello,
I looking for a way to use this resource in a shared CI.
For example, I have teamA which is the customerA and teamB which is the customerB.
As they are executing their pipelines on the same pool of worker, the ec2 auth is not really secured as they share the same certificate/bound_ami/wathever.
I would like to avoid that my customerA try to replace the A with B and gain the access to all credentials of my other customer.
I was thinking to this backend : https://www.vaultproject.io/docs/auth/approle.html
Any idea ?
Thanks
Hello,
We hit an issue when vault resource is used in few pipelines, it's creating a lot of new versions :
concourse=> select count(id) from versioned_resources ;
count
---------
2783265
(1 row)
concourse=> select count(id) from versioned_resources where type='vault';
count
---------
2741569
(1 row)
concourse=> select count(id) from versioned_resources where type!='vault';
count
-------
41699
(1 row)
As you can see, it's populating a bit too much the database and overload it.
I think it should create a new version when vault is really used, not on every check.
Any idea how could we improve this ? Maybe a simple echo []
would be enough as we don't really need to have version/triggering on this part.
Thanks
Hello @hexedpackets
Can you provide an example how you use the secret that has been stored on the disk please ?
I guess you are doing an output on the task to export the folder ?
Then you have custom task with jq
to get the string wanted ?
I would like to use it for the terraform module to get the aws access_key and secret_key fields.
Thanks
Hello,
Thanks for this resource. I'm trying to use it, but it seems that I can't use my specific vault url :
resource_types:
- name: vault-image
type: docker-image
source:
repository: docurated/concourse-vault-resource
resources:
- name: vault
type: vault-image
source:
uri: https://vault.mycompany.io:8200
role: concourse
nonce: thisisasecretnonce
jobs:
- name: Deployment
serial: true
disable_manual_trigger: false
plan:
- get: vault
params:
paths:
- customer/aws
It produces this error on concourse :
INFO: Reading secrets from: customer/aws
Error writing data to auth/aws-ec2/login: Put https://vault.service.consul:8200/v1/auth/aws-ec2/login: dial tcp: lookup vault.service.consul on 10.100.0.42:53: no such host
ERROR: No token retrieved
Error reading secret/customer/aws: Get https://vault.service.consul:8200/v1/secret/customer/aws: dial tcp: lookup vault.service.consul on 10.100.0.42:53: no such host
Have you an idea why it fails to read my source ?
I'm using concourse 2.2.1
Thanks
If a token is specified is invalid/missing then the call obviously fail, but seem to return 0 instead of an error, so the pipeline continue to run.
INFO: Reading secrets from: secret/test/ssh
Error writing data to auth/approle/login: Error making API request.
URL: PUT https://vault.test.io/v1/auth/approle/login
Code: 400. Errors:
* failed to validate SecretID: invalid secret_id "9824dcfe-xxxxxxxxxxxxxxxxxx"
ERROR: No token retrieved
Error reading secret/test/ssh: Error making API request.
URL: GET https://vault.test.io/v1/secret/test/ssh
Code: 400. Errors:
* missing client token
By any logic it should indeed be provided, but wasn't here due to a typo.
I think the faulty lines are the following: https://github.com/Docurated/concourse-vault-resource/blob/master/assets/common.sh#L4-L5
Because of the pipe it can hide errors, that should have exited with the -e flag set. E.g.:
$ cat test.sh
#!/bin/bash
set -e
source source.sh
echo "Test: end"
$ cat source.sh
#!/bin/bash
VAR=$(curl -s https://test.test/ -m 1 | tr -d '\n')
if [ -z "$VAR" ]; then
echo "Source: Something wrong happened"
fi
echo "Source: end"
$ ./test.sh && echo "=> Success" || echo "=> Fail"
Source: Something wrong happened
Source: end
Test: end
=> Success
A way of fixing this would be to add whether a return 1
(logical) or do an exit 1
in the if checking the content of variables. The return would trigger the same behavior of exit as the return due to the set -e
flag here: https://github.com/Docurated/concourse-vault-resource/blob/master/assets/in#L3
Or could be solved by splitting the calls with pipelines into several.
I believe similar problem could happen in https://github.com/Docurated/concourse-vault-resource/blob/master/assets/common.sh#L16-L18 as well.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.