hashicorp / vault-plugin-secrets-alicloud Goto Github PK

When the service has access to the AliCloud VPC network, it should prioritize getting STS credentials through the VPC network rather than accessing the sts endpoints through the public network.

Therefore, I think we should provide an opportunity to allow users to connect to VPC endpoints instead of brute-force hard-coding a public network endpoint.

The plugin always requires that an access_key and secret_key be set due to this line:
https://github.com/hashicorp/vault-plugin-secrets-alicloud/blob/master/path_creds.go#L48

From reading the code, I believe credentials set in the environment would be used before the configured values, but I haven't tested this. Where this completely falls over is when attempting to use the recommended method of falling back to the credentials provided by an AliCloud ECS instance role.

vault write alicloud/role/direct-mail remote_policies=name:AliyunDirectMailFullAccess,type:System
Error writing data to alicloud/role/direct-mail: Error making API request.

URL: PUT https://rubick.dev.wwrkr.cn:8200/v1/alicloud/role/direct-mail
Code: 500. Errors:

* 1 error occurred:
	* policy type is required in name:AliyunDirectMailFullAccess

However, the following command succeeded:

vault write alicloud/role/direct-mail remote_policies='name:AliyunDirectMailFullAccess,type:System' remote_policies='name:AliyunDirectMailReadOnlyAccess,type:System'
Success! Data written to: alicloud/role/direct-mail

I believe vault treats comma-separated string as a list. Take this line of code for example, in the first case, strPolicies equals to ["name:AliyunDirectMailFullAccess", "type:System"], which is not desired.

My Vault client version is:

Vault v1.1.3 ('9bc820f700f83a7c4bcab54c5323735a581b34eb')

we are use alicloud kms to auto unseal.so,we are have some ak/sk env in vault starup script.

but,if i use alicloud secret engine. alicloud/config ak/sk config not working.

I review some code for that plugin:

that define first find env config.that not great,in secret engine case,not need read env config,that ak/sk will defined in alicloud/config
vault-plugin-secrets-alicloud/clients/creds.go

pls add support for configuring DurationSeconds for secure token in alicloud secret.

btw: suggest using alibaba v2 go sdk.

Hello there,

I followed docs and wrote the policy-based like doc, and create a lease:

$ vault read alicloud/creds/policy-based
Key                Value
---                -----
lease_id           alicloud/creds/policy-based/HhFLFROWDeftRtwTJwtw5XuJ
lease_duration     768h
lease_renewable    true
access_key         LTAI4FtEqaL5JTy6hFvSdkAH
secret_key         pPkGJMcxWV4I4JElfd19bt6rKtv6sx

$ vault read alicloud/role/policy-based
Key                Value
---                -----
inline_policies    [map[hash:8d5db9715fa1fd38c1609a65bf5a453d policy_document:map[Statement:[map[Action:[ram:CreateAccessKey ram:DeleteAccessKey ram:CreatePolicy ram:DeletePolicy ram:AttachPolicyToUser ram:DetachPolicyFromUser ram:CreateUser ram:DeleteUser sts:AssumeRole] Effect:Allow Resource:*]] Version:1]]]
max_ttl            0s
remote_policies    <nil>
role_arn           n/a
ttl                0s

When I revoked lease, the access key has been deleted successfully, but policies and user remained. Vault server showed error log:

2020-03-16T17:23:36.787+0800 [ERROR] expiration: failed to revoke lease: lease_id=alicloud/creds/policy-based/HhFLFROWDeftRtwTJwtw5XuJ error="failed to revoke entry: resp: (*logical.Response)(nil) err: secret is missing inline_policies internal data"

Which point to code line 141 in path_secrects.go:

// Inline policies are currently stored as remote policies, because they have been
		// instantiated remotely and we need their name and type to now detach and delete them.
		inlinePolicies, err := getRemotePolicies(req.Secret.InternalData, "inline_policies")
		if err != nil {
			// This shouldn't be part of the multierror because if it returns empty inline policies,
			// then we won't go through the inlinePolicies loop and we'll think we're successful
			// when we actually didn't delete the inlinePolicies we need to.
			return nil, err
		}

Have I done something wrong? Thanks.