Comments (4)
We don't pass on any session headers to the metadata service. To support this, the following requirements would have to be defined:
- Who creates a session token
- How is the token provided to the auth mechanism?
- Who maintains TTL and how is a new token created/provided?
In a JWT/Kubernetes environment, the platform provides such details and ensures recent information stored in a file. Spring Vault is by no means authoritative of creating and maintaining yet another set of tokens so I suggest that you create your own ClientAuthentication
implementation, potentially based on AwsEc2Authentication
to explore provisioning and runtime operations.
With sufficient details from a broader community we can work on a path to enable session-bound usage of the identity service.
from spring-vault.
I don't think I understand the issue here - all you need to do is fetch the token from the EC2 instance itself, feed it back to the metadata call and then drop it. The token does not need to be kept beyond the call. ...or else I have greatly misunderstood how much Spring Vault needs to interact with the IMDS.
Documentation:
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-metadata-v2-how-it-works.html
Specific CLI example:
TOKEN=`curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600"`
curl -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/meta-data/
from spring-vault.
Thanks for the additional detail. My initial understanding was that AWS introduced a mechanism to secure metadata requests so that only the first process could request a session token and that no other process could obtain a new token until the other one expires.
After testing the new API a bit, I must say that we only gain additional overhead without getting actual value out of the process.
It should be possible to conditionally obtain a short-lived session token during the login.
from spring-vault.
Oh, completely agree about the zero value add... but it is what we are required to work with, so here we are.
from spring-vault.
Related Issues (20)
- EnvironmentVaultConfiguration does not check for spring.cloud prefix by default. HOT 3
- Leases no longer revoked after stopping `SecretLeaseContainer` HOT 3
- Refresh authentication token and leases related to it after expire of authentication token HOT 3
- Release Spring Vault 3.1.1
- Upgrade to Spring Data 2023.1.2
- Upgrade to Spring Framework 6.1.3
- Upgrade to Project Reactor 2023.0.2
- Upgrade dependencies
- Extend copyright license headers to 2024
- Leases no longer revoked after stopping SecretLeaseContainer HOT 3
- Assistance Needed with Dynamic Vault Template Creation Using RoleID and SecretID HOT 1
- Private Key is `null` in `CertificateBundle` using `of(String serialNumber, String certificate, String issuingCaCertificate, String privateKey)` HOT 2
- Page not found for 2.3.3 reference doc HOT 2
- Dynamically Configure Cipher Suites for Vault Communication HOT 3
- Read-Timeout not applied with Apache Http Components and no-SSL HOT 3
- Leases no longer revoked after stopping SecretLeaseContainer #855 HOT 2
- Update `SessionManager` implementation for non-renewable tokens HOT 6
- What is the property value to set for certificate authentication name? HOT 1
- Secret rotation failing after LoginTokenExpiredEvent HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from spring-vault.