diff options
| author | mo khan <mo@mokhan.ca> | 2022-04-08 15:47:55 -0600 |
|---|---|---|
| committer | mo khan <mo@mokhan.ca> | 2022-04-08 15:47:55 -0600 |
| commit | 2badc3a81fcd14abed3c67373fb8d111a0c512a0 (patch) | |
| tree | a98072f1f3dfd48617bebf3810bddc33feeeb176 | |
| parent | 61d03fdf029e24f20a9ad22035550103bad2df95 (diff) | |
notes on possible workflows and vault cli
| -rw-r--r-- | doc/run-identity/README.md | 58 | ||||
| -rwxr-xr-x | src/oidc/bin/02_authz_code_token_request | 1 |
2 files changed, 59 insertions, 0 deletions
diff --git a/doc/run-identity/README.md b/doc/run-identity/README.md index ce21d2a..13c9869 100644 --- a/doc/run-identity/README.md +++ b/doc/run-identity/README.md @@ -12,6 +12,8 @@ Reference Links: * [PRD](https://docs.google.com/document/d/1IGSX1eSk6zQw1Fk0LUuJ9KgeEZgQoPg7126NfnQbL1M/edit#) * [GitHub Example](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#understanding-the-oidc-token) +* [GitHub Configure Subject](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#configuring-the-subject-in-your-cloud-provider) +* [GitLab example with Vault](https://docs.gitlab.com/ee/ci/examples/authenticating-with-hashicorp-vault/) Related Field Requests: @@ -24,3 +26,59 @@ To Learn: * [ ] the OIDC flows. * [ ] the Vault API. * [ ] the key material available to a Terraform run context. + + +1. In cloud provider, create OIDC trust between cloud role and TFC Workspace. +1. In run task, generate a token via OIDC Provider before apply step. +1. Inject secrets into run. + + +```plaintext +Is it like this? + ------- ---------------- ---------- + | TFC | | OIDC Provider| | runner | + ------- ---------------- ---------- + | | | + |--- request token ----->| | + | | | + |<----- return token ----| | + | | + | | + | | + |---- inject secrets ---------------------->| + +or like this ... + + ------- ---------- --------- + | TFC | | Runner | | Vault | + ------- ---------- --------- + * aws access/secret + --------> + * job description + * a way to get key material from Vault. (token) + * config version data. + --------> give me the secrets + * do the thing + <------- return the job status + +1. schedule run of apply. +2. key material to do the apply. + * aws access/secret key + * environment vars +3. low ttl key material to do the things. +``` + +# Vault + +```bash +モ vault export VAULT_TOKEN=hvs.xxxx-xxxxxxxx +モ vault export VAULT_ADDR=https://vault-cluster.vault.c593ef09-1a12-4e77-994d-5df3a62d538d.aws.hashicorp.cloud:8200 +モ vault export VAULT_NAMESPACE=admin +モ vault kv put cubbyhole/foo bar=baz +Success! Data written to: cubbyhole/foo +モ vault kv get cubbyhole/foo +=== Data === +Key Value +--- ----- +bar baz +``` diff --git a/src/oidc/bin/02_authz_code_token_request b/src/oidc/bin/02_authz_code_token_request index 48e49e8..9e1f221 100755 --- a/src/oidc/bin/02_authz_code_token_request +++ b/src/oidc/bin/02_authz_code_token_request @@ -4,6 +4,7 @@ set -e cd "$(dirname "$0")/.." curl -s \ + -vv \ -u "client_id:client_secret" \ --basic \ -d "grant_type=authorization_code&code=example&redirect_uri=https://client.example.org/callback" \ |