Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature request: Control which policies are to be used in the created child token at the provider level #1042

Closed
thomas-riccardi opened this issue May 6, 2021 · 2 comments · May be fixed by #1165
Closed

Feature request: Control which policies are to be used in the created child token at the provider level #1042

thomas-riccardi opened this issue May 6, 2021 · 2 comments · May be fixed by #1165

Comments

@thomas-riccardi
Copy link

Hi there,

Thank you for opening an issue. Please note that we try to keep the Terraform issue tracker reserved for bug reports and feature requests. For general usage questions, please see: https://www.terraform.io/community.html.

Terraform Version

Terraform v0.15.1
on linux_amd64
+ provider registry.terraform.io/hashicorp/vault v2.19.1

Affected Resource(s)

The vault provider itself.

Terraform Configuration Files

provider "vault" {
  token_policies = ["administrator"]
}

Expected Behavior

Specifying the token policies on the created child token works.

Actual Behavior

Specifying the token policies on the created child token is not supported: the created token automatically inherits all parent token policies.
This happens there:

terraform-provider-vault/vault/provider.go

Lines 810 to 815 in cffbae1

childTokenLease, err := client.Auth().Token().Create(&api.TokenCreateRequest{
DisplayName: tokenName,
TTL: fmt.Sprintf("%ds", d.Get("max_lease_ttl_seconds").(int)),
ExplicitMaxTTL: fmt.Sprintf("%ds", d.Get("max_lease_ttl_seconds").(int)),
Renewable: &renewable,
})

Context/need

I was hit by hashicorp/vault#3892 : adding more policies (via a OIDC group claims giving identity policies) (without any deny) unexpectedely removed permissions on some endpoints.

One way to work around that would be to limit the policies used by the terraform-provider-vault when it creates a dedicated child token, thus regaining full access to proceed.

Maybe orphan would also be needed to disable the policies coming from the identity, but that may create other issues...
@thomas-riccardi thomas-riccardi changed the title Control which policies are to be used in the created child token at the provider level Feature request: Control which policies are to be used in the created child token at the provider level May 6, 2021
@thomas-riccardi
Copy link
Author

The policies I want to remove come from identity_policies, so it's not doable when creating a child token, cf https://discuss.hashicorp.com/t/create-token-issues-child-policies-must-be-subset-of-parent/5913/2

=> the feature request would not help my scenario, closing it.

@WeetA34
Copy link

WeetA34 commented Sep 2, 2021

Hello @thomas-riccardi
it's possible to define a policy not present on root token for child token. You need sudo capability on auth/token/create.
I just wrote the following patch to handle policies for child on the provider. I'll see to propose a PR.

diff --git a/vault/provider.go b/vault/provider.go
index 71d087b4..b7e736c3 100644
--- a/vault/provider.go
+++ b/vault/provider.go
@@ -149,6 +149,12 @@ func Provider() *schema.Provider {

                                Description: "Maximum TTL for secret leases requested by this provider",
                        },
+                       "policies": {
+                               Type:        schema.TypeList,
+                               Optional:    true,
+                               Description: "List of extra policies to attach to the child token. Needs sudo capability on auth/token/create",
+                               Elem:        &schema.Schema{Type: schema.TypeString},
+                       },
                        "max_retries": {
                                Type:     schema.TypeInt,
                                Optional: true,
@@ -834,10 +840,16 @@ func providerConfigure(d *schema.ResourceData) (interface{}, error) {
        }

        renewable := false
+       var policies []string
+       for _, policy := range d.Get("policies").([]interface{}) {
+               policies = append(policies, policy.(string))
+       }
+
        childTokenLease, err := client.Auth().Token().Create(&api.TokenCreateRequest{
                DisplayName:    tokenName,
                TTL:            fmt.Sprintf("%ds", d.Get("max_lease_ttl_seconds").(int)),
                ExplicitMaxTTL: fmt.Sprintf("%ds", d.Get("max_lease_ttl_seconds").(int)),
+               Policies:       policies,
                Renewable:      &renewable,
        })
        if err != nil {
@@ -845,9 +857,9 @@ func providerConfigure(d *schema.ResourceData) (interface{}, error) {
        }

        childToken := childTokenLease.Auth.ClientToken
-       policies := childTokenLease.Auth.Policies
+       childPolicies := childTokenLease.Auth.Policies

-       log.Printf("[INFO] Using Vault token with the following policies: %s", strings.Join(policies, ", "))
+       log.Printf("[INFO] Using Vault token with the following policies: %s", strings.Join(childPolicies, ", "))

        // Set the token to the generated child token
        client.SetToken(childToken)

@WeetA34 WeetA34 mentioned this issue Sep 2, 2021
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
2 participants
@thomas-riccardi @WeetA34