connector using vault with plugin
next fiscal quarter
Z
Zinc white Peacock
We would like to set up a connector that connects to a vault engine that's derived via plugins.
The connector works fine on the vault basic KV engines.
We've set up the following Vault Artifactory plugin - https://jfrog.com/help/r/jfrog-integrations-documentation/hashicorp-vault-artifactory-secrets-plugin
This allows us to provision short term tokens with a call to vault. But Harness currently doesn't allow this engine.
Another engine we're looking to implement is via a Vault Git plugin - https://github.com/martinbaillie/vault-plugin-secrets-github
Just like Artifactory, this engine will provision short term tokens per request.
Log In
Canny AI
Merged in a post:
Support for dynamic secret engines in Vault
C
Curly Anglerfish
Hello,
we are currently deploying from Harness to our Kubernetes clusters by using static service account token credentials stored as secrets in Harness.
We want to avoid the use of static, long-lived credentials and want to use Vault to request temporary credentials for our Kubernetes clusters: https://developer.hashicorp.com/vault/docs/secrets/kubernetes
Unfortunately, Harness only supports the K/V engine of Vault.
We'd like to request support for Vault dynamic secret engines in Harness so that we can retrieve temporary, short-lived service account tokens to access the clusters. Accessing Kubernetes clusters is just one example, it would be awesome if this feature could be used e.g. also to retrieve temporary AWS credentials via Vault.
Thank you
Prateek Mittal
next fiscal quarter
Z
Zinc white Peacock
Hi Support,
I'd like to get this ticket going again as we're implementing the artifactory plugin in Hashi Vault. We want Harness secrets to be able to pull the token and return to the user.
As for the details, please see how the token is returned from Vault here -> https://github.com/jfrog/vault-plugin-secrets-artifactory?tab=readme-ov-file#usage
Example output (token truncated):
Key Value
--- -----
lease_id artifactory/token/jenkins/9hHxV1NlyLzPgmNIzjssRCa9
lease_duration 1h
lease_renewable true
access_token eyJ2ZXIiOiIyIiw...
role jenkins
scope applied-permissions/groups:automation
token_id 06d962b2-63e2-4279-a25d-d2a9cab6507f
username v-jenkins-x4mohTA8
When I last tested, Harness could only connect with key/value secret engines in Vault. That data is slightly different. We need to pull the data from the 'artifactory' engine (connecting to vault)
Prateek Mittal
Hi Alfred,
Can you please provide more information on how do you want to use Vault to request temporary credentials? Are you referring to leverage OIDC for getting these short lived tokens?
On AWS credentials question, we do support AWS Auth today.
C
Curly Anglerfish
Prateek Mittal We would basically use approle credentials (stored as secret in Harness) to authenticate to Vault, then use Dynamic secret engines in Vault to issue credentials for various providers; like mentioned initially, Vault can issue short-lived tokens for Kubernetes clusters or temporary role credentials for AWS roles. It would be nice if Harness could utilize these Dynamic secret engines to request short-lived credentials for various providers.
At the moment in Harness I could theoretically do this via script that does the necessary HTTP calls to Vault to retrieve these credentials, but I cannot use these then to deploy to Kubernetes or to AWS with Harness as Harness does not support using workflow variables in connectors.
Prateek Mittal
Curly Anglerfish: One way to achieve this is using the custom secrets manager, with which you can use a template to fetch these secrets and and use these secrets in your step.
Prateek Mittal
Curly Anglerfish Can you please let me know if the above solve your use case?
C
Curly Anglerfish
Prateek Mittal Hey, that sounds promising, I'll give this a try. Is this "Custom secrets manager" a relatively new feature? I haven't seen this before.
Prateek Mittal
Curly Anglerfish: This has been there for a while.
I will mark this request complete for now. Please let us know if you face any issues.
Prateek Mittal
pending feedback
Prateek Mittal
under review
Prateek Mittal
Zinc white Peacock Do you want to use OIDC for hashicorp vault to solve this use case?
Prateek Mittal
complete
Prateek Mittal
pending feedback
Prateek Mittal
under review
Load More
→