vault-plugin-auth-huaweicloud

command module
v0.0.0-...-c5d6845 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 20, 2020 License: MPL-2.0 Imports: 5 Imported by: 0

README

Vault Plugin: HuaweiCloud Auth Backend

This is a standalone backend plugin for use with Hashicorp Vault. This plugin allows authentication to Vault using user's personal token of Huawei Cloud.

Getting Started

This is a Vault plugin and is meant to work with Vault. This guide assumes you have already installed Vault and have a basic understanding of how Vault works.

Otherwise, first read this guide on how to get started with Vault.

To learn specifically about how plugins work, see documentation on Vault plugins.

Security Model

This authentication model places Vault in the middle of a call between a client and Huawei Cloud's api. Based on its response, it grants an access token based on pre-configured roles.

Auth Flow

The basic mechanism of operation is per-role.

Roles are associated with a Huawei Cloud account and user. When logining to Vault, it matches the account and user name retrived from token with that of a pre-created role in Vault. It then checks what policies have been associated with the role, and grants a token accordingly.

Usage

This guide assumes some familiarity with Vault and Vault's plugin ecosystem. You must have a Vault server already running, unsealed, and authenticated.

  • Download and decompress the latest plugin binary from the Releases tab on GitHub. Alternatively you can compile the plugin from source, if you're into that kind a thing.

  • Move the compiled plugin into Vault's configured plugin_directory.

    $ mv vault-plugin-auth-huaweicloud /etc/vault/plugins/

  • Calculate the SHA256 of the plugin and register it in Vault's plugin catalog. If you are downloading the pre-compiled binary, it is highly recommended that you use the published checksums to verify integrity.

    $ export SHA256=$(shasum -a 256 "/etc/vault/plugins/vault-plugin-auth-huaweicloud" | cut -d' ' -f1)

$ vault write sys/plugins/catalog/auth-hw \
    sha_256="${SHA256}" \
    command="vault-plugin-auth-huaweicloud"

  • Mount the auth method.

    $ vault auth enable auth-hw

  • Create role.

    $ vault write auth/auth-hw/role/dev-role \
    account="${account}" \
    user="user"

    • role (string: <required>) - Name of the role.

    • account (string) - Name of Huawei Cloud account.

    • user (string) - Name of Huawei Cloud user.

    • token_ttl (integer: 0 or string: "") - The incremental lifetime for generated tokens. This current value of this will be referenced at renewal time.

    • token_max_ttl (integer: 0 or string: "") - The maximum lifetime for generated tokens. This current value of this will be referenced at renewal time.

    • token_policies (array: [] or comma-delimited string: "") - List of policies to encode onto generated tokens. Depending on the auth method, this list may be supplemented by user/group/other values.

    • token_bound_cidrs (array: [] or comma-delimited string: "") - List of CIDR blocks; if set, specifies blocks of IP addresses which can authenticate successfully, and ties the resulting token to these blocks as well.

    • token_explicit_max_ttl (integer: 0 or string: "") - If set, will encode an explicit max TTL onto the token. This is a hard cap even if token_ttl and token_max_ttl would otherwise allow a renewal.

    • token_no_default_policy (bool: false) - If set, the default policy will not be set on generated tokens; otherwise it will be added to the policies set in token_policies.

    • token_num_uses (integer: 0) - The maximum number of times a generated token may be used (within its lifetime); 0 means unlimited.

    • token_period (integer: 0 or string: "") - The period, if any, to set on the token.

    • token_type (string: "") - The type of token that should be generated. Can be service, batch, or default to use the mount's tuned default (which unless changed will be service tokens). For token store roles, there are two additional possibilities: default-service and default-batch which specify the type to return unless the client requests a different type at generation time.

  • Login to Vault.

    # It recommends saving token to a file(./token.txt), because token's length is very long.

$ token=$(cat ./token.txt); vault write auth/auth-hw/login role=dev-role token=$token

    The response will be a standard auth response with some token metadata:

    Key                     Value
---                     -----
token                   s.bmCw3arLhilGd0BWwOEEQ4X0
token_accessor          6aN0hE5BPRNnnuv1uCD6BJAC
token_duration          768h
token_renewable         true
token_policies          ["default"]
identity_policies       []
policies                ["default"]
token_meta_account      account
token_meta_role_name    dev-role
token_meta_user         user

Documentation

The Go Gopher

There is no documentation for this package.

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.