Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

WIP: Implement IAM Authentication #73

Open
wants to merge 4 commits into
base: master
Choose a base branch
from
Open

WIP: Implement IAM Authentication #73

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
e99dbc5
Add special auth logic
jackcasey-visier Jun 21, 2021
423f2c6
Add context explain statements
jackcasey-visier Jun 21, 2021
0cc1129
Merge upstream master
jackcasey-visier Aug 13, 2021
d2d950b
Fix variable names
jackcasey-visier Aug 13, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
15 changes: 12 additions & 3 deletions lib/puppet/functions/hiera_vault.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,7 @@
Puppet::Functions.create_function(:hiera_vault) do

require_relative 'special_auth'

begin
require 'json'
rescue LoadError => e
Expand Down Expand Up @@ -82,8 +84,8 @@ def lookup_key(key, options, context)
return context.not_found
end

if vault_token(options).nil?
raise ArgumentError, '[hiera-vault] no token set in options and no token in VAULT_TOKEN'
if vault_token(options).nil? && !options.key?("authentication")
raise ArgumentError, '[hiera-vault] no token set in options, no token in VAULT_TOKEN and no special authentication configured'
end

result = vault_get(key, options, context)
Expand Down Expand Up @@ -119,12 +121,19 @@ def vault_get(key, options, context)
begin
$hiera_vault_client.configure do |config|
config.address = options['address'] unless options['address'].nil?
config.token = vault_token(options)
config.ssl_pem_file = options['ssl_pem_file'] unless options['ssl_pem_file'].nil?
config.ssl_verify = options['ssl_verify'] unless options['ssl_verify'].nil?
config.ssl_ca_cert = options['ssl_ca_cert'] if config.respond_to? :ssl_ca_cert
config.ssl_ca_path = options['ssl_ca_path'] if config.respond_to? :ssl_ca_path
config.ssl_ciphers = options['ssl_ciphers'] if config.respond_to? :ssl_ciphers

if options.key?("authentication")
context.explain { "[hiera-vault] Using #{options['authentication']['type']} authentication" }
authenticate(options['authentication'], $hiera_vault_client, context)
else
context.explain { "[hiera-vault] Using token authentication" }
config.token = vault_token(options)
end
end

if $hiera_vault_client.sys.seal_status.sealed?
Expand Down
27 changes: 27 additions & 0 deletions lib/puppet/functions/special_auth.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
def authenticate(options, client, context)

auth_types = {
'aws_iam' => method(:aws_iam_auth)
}

auth_types[options['type']].(options['config'], client, context)

end


def aws_iam_auth(config, client, context)

begin
require 'aws-sdk-core'
rescue LoadError => e
raise Puppet::DataBinding::LookupError, "[hiera-vault] Must install aws-sdk-core gem to use AWS IAM authentication"
end

context.explain { "[hiera-vault] Starting aws_iam authentication with config: #{config}" }

role = config['role']

client.auth.aws_iam(role, Aws::InstanceProfileCredentials.new)

end