AWS IAM login proposal about node-vault HOT 16 CLOSED

any progress with this?

from node-vault.

With the help of @rjrbt 's code, I was able to use his getSignedAWSLoginConfig and the built in node-vault function node-vault.generateFunction to come up with the following code that allows AWS IAM login without modifying the node-vault source code.

//VaultWrapper.js
const nv = require('node-vault');

const vault = nv({
  apiVersion: 'v1',
  endpoint: process.env.VAULT_ENDPOINT,
  //debug: (...args) => console.log('[NodeVault]', args),
});

vault.generateFunction('awsIamLogin', {
  method: 'POST',
  path: '/auth/aws/login',
});

//NOTE: I'm using async/await
export const vaultLogin = async () => {
  // check if we are already logged in and have a token

  const postBody = await getSignedAwsLoginBody(); //role and request ID moved inside 
  const authResult = await vault.awsIamLogin(postBody);

  vault.token = authResult.auth.client_token;
  //Success, now you can call vault.read or .write
}

This would be a good thing to add to the readme. I additionally added some logic that uses STS to assume roles inside my getSignedAwsLoginBody and signs the request with those credentials.

from node-vault.

@dublx great! Here's a list:

• I have a branch here which is a complete refactor of node-vault (see this pull request). It needs to be updated with all the changes, features, tests and bugfixes added in the previous version since I last worked on it. Also some tests and documentation must be added as I couldn't finish it.
• The branch I created for this feature (aws-auth) needs to be updated with the changes in the refactor branch.
• Tests and documentation must be created for this feature.
• Once all of this is done, it must be tagged and published onto NPM (v1.0).
• Would be nice to leave comments in open PRs to let authors know that the refactor has happened so that they can send the changes based on the new version instead of the outdated one.

Hope this is useful :)

from node-vault.

I am sorry I couldn't merge this back then. I keep convincing myself that I will be able to do it sometime soon but things keep getting complicated and my life keeps getting busier and busier so I can't really promise anything.

Would be happy to give some guidance to someone who can get it done.

Sorry @dvejmz I didn't see your message in time.

Hmu if you still can lend a hand and I'll guide you so we can finally get this merged. @kr1sp1n made me a maintainer a while ago so I would be able to merge it and publish it on NPM when it's done.

Keep in mind that all new changes added to the old version should be ported to the refactored branch too.

Thanks for your interest and sorry for my lack of replies. Life's complicated!

from node-vault.

@kr1sp1n, @rjrbt
Does it mean the current node-vault package has no way to auth against the Vault using the EC2 appRole and its pkcs#7? I did find auth function but not sure what are valid values in requestOptions.
This is what I do on CLI that needs to be done using the `node-vault:

vault write auth/aws-ec2/login role='reader' nonce='086ec704-311a-4111-8190-418bc6e0ab57' pkcs7=$(curl --noproxy 169.254.169.254 --silent --fail http://169.254.169.254/latest/dynamic/instance-identity/pkcs7 | tr --delete "\n")

from node-vault.

After working on a massive refactor of the project, I also implemented automatic AWS EC2 IAM login in this branch of mine (PR coming soon). Check the implementation to know the details. Documentation coming soon as well. It basically extracts all the info from the EC2 instance metadata service to generate the STSGetCallerIdentity signed request. Important: the vault role will have the same id (name?) than the aws role. For example if your aws role is named db-admin-role, the vault role will need to be named db-admin-role as well (and be binded to the aws role as described in the Vault documentation).

Suggestions?

The interface is:

const awsVault = require('node-vault').awsAuth()

const stuff = async () => {
  const vault = await awsVault
  await vault.write('secret/something', { value: 'somevalue' })
  console.log(await vault.read('secret/something'))
}

As the exported .awsAuth() method returns a Promise that fulfills with an authenticated vault client.

I am exploring how to make something like require('node-vault/aws-auth') possible.

from node-vault.

Also automatic environment detection (if the platform is EC2, lambda or ECS) would be a nice idea, to support all types of AWS "inferred" authentication out of the box. Currently only EC2 IAM is supported, so if this runs on lambda, for example, it will crash.

from node-vault.

Not sure whether to support EC2 + PKCS#7 (not IAM) auth as well. I'm not sure we can detect that. Maybe we could first try EC2 IAM and fallback to EC2 PKCS#7 if the former fails.

from node-vault.

Any progress on this? I'm really interested in having this feature incorporated into node-vault. I've seen @DaniGuardiola has made some headway in his own branch. What's left to be done to merge @DaniGuardiola 's branch in? I'm happy to lend a hand.

from node-vault.

Hello @dvejmz!

Well before merging the AWS branch, the main refactored branch must be merged (#78), take a look at that PR. Mainly I need to finish documentation and improve the tests. Then I will be able to publish the first major version to NPM and we can work on AWS and other stuff from there.

Would you be able to help with this?

from node-vault.

@DaniGuardiola yeah, I'd be happy to help, what's the best place for me to start? If there's an IRC channel or similar I can get on to to discuss this, I can do that too.

from node-vault.

so is this proposal dead, since the refactoring wasn't merged and DaniGuardiola hasn't the time anymore?

from node-vault.

Would be great to have this feature available.
What needs to be done, I could try to help.

from node-vault.

A re-write is cool, but it should be done in stages so people aren't blocked from contributing. The above PR was opened in 2018 and probably isn't happening (going from comments in the PR). So, maybe a requirement to port any changes to the new branch is too strict and the work of porting new changes should fall on the side of the branch that does the refactor?

@DaniGuardiola

from node-vault.

Totally agree, it felt overwhelming & I didn't have time to go do it.

from node-vault.

Is this code taking care of assumeRole ?

from node-vault.