-
Notifications
You must be signed in to change notification settings - Fork 26
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Implementation of AppRole Auth #27
Comments
Hi @rvojcik ! Thanks for using secrets-manager! We have been considering this too to be honest :). But at some point we decided that was way more convenient to just use a token and renewing it. We do use AppRole auth method internally, but we use it just to generate the token (attached to a policy) than later secrets-manger will consume in a pipeline that is fully automated. Wouldn't something like that work for you as well while we consider this feature? |
Hi, |
Thanks! On one hand I find It nice as well. But there's no direct method in the go client library, you can always use the general logical client and write in the auth path though. But I find It also that just letting secrets-manager renew a token make It more agnostic of the login mechanism. So I'm kind of torn here XD |
Yes I understand. I can describe you my use case, why I think it could be nice to have it. Imagine that you have token from approle, but it's configured to be short, for example like 40m. |
Hi @rvojcik !! I finally found the time (sorry for the delay) to really think about this and...
I hope I can have a PR soon to share ;). Thanks again for using it! |
Hi @fcgravalos, It helps a lot and now I can simplify my deployment. Thanks ! |
@rvojcik you can build from master the latest version of secrets-manager and give it a try :) |
Hi guys. Thank you for great project.
I'm wondering if you could implement AppRole Auth.
It's really easy to implement becouse output of the AppRole is token which you can use in traditional way.
https://www.vaultproject.io/docs/auth/approle.html
AppRole provide way, how to authentificate against Vault using role-id and secret-id and get token from Vault for communication. Token can be then used, renewed etc.
Role-ID and Secret-ID can be configured to not expire, so it's ideal for automation and there is no problem when some of the system is down for some period of time.
It could be nice if your system can first use AppRole auth to get token and then continue in normal way.
The text was updated successfully, but these errors were encountered: