jetbrains / teamcity-hashicorp-vault-plugin Goto Github PK
View Code? Open in Web Editor NEWTeamCity plugin to support HashiCorp Vault
License: Apache License 2.0
TeamCity plugin to support HashiCorp Vault
License: Apache License 2.0
When the build is finished or in progress, the vault wrapped token used by build to fetch secrets can be viewed in plain text. Event though the token is one-time and uses wrapping it is possible to trick the agent on not using it for this single time. After that the agent will fail with the error leaving the token usabele to fetch the secrets used by build.
Proposed solution: set type=password, display=hidden on teamcity.vault.wrapped.token
What happened:
TeamCity server logs show an error stating it is unable to revoke a token after running a build that fetched secrets from Vault successfully.
What you expected to happen:
TeamCity server logs show no error upon revoking token.
How to reproduce it (as minimally and precisely as possible):
More information:
TeamCity server logs:
[2020-07-28 17:19:43,162] WARN [@2e0f68e1"; Normal executor 13] - ty.vault.server.VaultConnector - Failed to revoke token: org.springframework.web.client.HttpClientErrorException: 400 Bad Request
Plugin configuration:
https://vault.url.com/v1
approle
****
****
Vault policy for approle:
path "secret/teamcity/build-configurations/*" {
capabilities = ["read", "list"]
}
path "auth/token/lookup-self" {
capabilities = ["read"]
}
path "auth/token/renew-self" {
capabilities = ["update"]
}
path "auth/token/revoke-self" {
capabilities = ["update"]
}
path "auth/token/revoke-accessor" {
capabilities = ["update"]
}
Build configuration and parameters:
Related to comment:
#19 (comment)
It would be convenient to make Vault token available to build steps as a special parameter (like %vault:$token%)
Build scripts can use this value to perform custom requests to Vault to use secrets engines other than key-value store (e.g. sign custom SSH certificates, access AD passwords and so on).
Considering security, it would be preferable for agents to use prepared temporary token from the server (obtained through AppRole or other method) instead of authenticating to Vault on their own.
For secured passwords, like Uploaded Key Passphrase of SSH Exec step, Hasicorp Vault plugin lookup is not executed.
So, setting the password to "%vault:/secret/data/test!/password%" will not lookup to vault, but will use this string as exact password
Am using Vault and Build agents within a kubernetes cluster and am using the current Jetbrains plugin.
Vault is configured as a 3 node HA set and accessed via the URL: "https://vault.infrastructure.svc.cluster.local:8200"
Teamcity can connect using this URL and connection tests are succesful.
Teamcity build agents fails to retrieve data using the argument "vault:/vault/secret/cicd/blue!/foo"
However with a local vault install the same path will return:
vault read secret/cicd/blue
Key Value
--- -----
refresh_interval 168h
foo hello
The cluster is using self signed certs however the JVM and also vault environment variables are configured as is keystore loading on container creation into the JVM.
This has also been tried using http only as well.
Full error stack trace
[11:40:47] HashiCorp Vault
[11:40:47] [HashiCorp Vault] Exception occured: org/springframework/core/log/LogDelegateFactory
java.lang.NoClassDefFoundError: org/springframework/core/log/LogDelegateFactory
at org.springframework.http.HttpLogging.forLog(HttpLogging.java:68)
at org.springframework.http.HttpLogging.forLogName(HttpLogging.java:57)
at org.springframework.http.converter.AbstractHttpMessageConverter.<init>(AbstractHttpMessageConverter.java:54)
at org.springframework.http.converter.ByteArrayHttpMessageConverter.<init>(ByteArrayHttpMessageConverter.java:45)
at org.jetbrains.teamcity.vault.UtilKt.createRestTemplate(util.kt:108)
at org.jetbrains.teamcity.vault.UtilKt.createRestTemplate(util.kt:78)
at org.jetbrains.teamcity.vault.UtilKt.createRestTemplate(util.kt:72)
at org.jetbrains.teamcity.vault.agent.VaultBuildFeature$buildStarted$$inlined$forEach$lambda$1.invoke(VaultBuildFeature.kt:84)
at org.jetbrains.teamcity.vault.agent.VaultBuildFeature$buildStarted$$inlined$forEach$lambda$1.invoke(VaultBuildFeature.kt:35)
at org.jetbrains.teamcity.vault.UtilKt.activity(util.kt:171)
at org.jetbrains.teamcity.vault.agent.VaultBuildFeature.buildStarted(VaultBuildFeature.kt:79)
at jdk.internal.reflect.GeneratedMethodAccessor46.invoke(Unknown Source)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:566)
at jetbrains.buildServer.util.EventDispatcher$3.run(EventDispatcher.java:138)
at jetbrains.buildServer.util.NamedThreadFactory.executeWithNewThreadName(NamedThreadFactory.java:76)
at jetbrains.buildServer.util.EventDispatcher.dispatch(EventDispatcher.java:132)
at jetbrains.buildServer.util.EventDispatcher$2.invoke(EventDispatcher.java:82)
at com.sun.proxy.$Proxy9.buildStarted(Unknown Source)
at jetbrains.buildServer.agent.impl.buildStages.startStages.FireBuildStartedStage.doBuildState(FireBuildStartedStage.java:20)
at jetbrains.buildServer.agent.impl.buildStages.startStages.FireEventStageBase.doBuildStage(FireEventStageBase.java:28)
at jetbrains.buildServer.agent.impl.buildStages.BuildStagesExecutor$1.callStage(BuildStagesExecutor.java:33)
at jetbrains.buildServer.agent.impl.buildStages.BuildStagesExecutor$1.callStage(BuildStagesExecutor.java:24)
at jetbrains.buildServer.agent.impl.buildStages.StagesExecutor.callRunStage(StagesExecutor.java:76)
at jetbrains.buildServer.agent.impl.buildStages.StagesExecutor.doStages(StagesExecutor.java:35)
at jetbrains.buildServer.agent.impl.buildStages.BuildStagesExecutor.doStages(BuildStagesExecutor.java:24)
at jetbrains.buildServer.agent.impl.BuildRunActionImpl.doStages(BuildRunActionImpl.java:81)
at jetbrains.buildServer.agent.impl.BuildRunActionImpl.runBuild(BuildRunActionImpl.java:57)
at jetbrains.buildServer.agent.impl.BuildAgentImpl.doActualBuild(BuildAgentImpl.java:333)
at jetbrains.buildServer.agent.impl.BuildAgentImpl.access$200(BuildAgentImpl.java:58)
at jetbrains.buildServer.agent.impl.BuildAgentImpl$1.run(BuildAgentImpl.java:288)
at java.base/java.lang.Thread.run(Thread.java:834)
Caused by: java.lang.ClassNotFoundException: Class 'org.springframework.core.log.LogDelegateFactory' was not found
at jetbrains.buildServer.plugins.classLoaders.TeamCityClassLoader.doLoadClass(TeamCityClassLoader.java:85)
at jetbrains.buildServer.plugins.classLoaders.TeamCityClassLoader.loadClass(TeamCityClassLoader.java:40)
at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:522)
... 32 more
Does the plugin support rest api? We need to connect the vault server using api request
I/O error on POST request for "https://XXX/v1/auth/approle/login": PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target; nested exception is javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
The problem is that once there is at least one trusted SSL certificate configured, only those configured are considered trusted and the default trusted keystore is disregarded.
Plugin version: 0.1.98
[2017-11-27 12:16:44,634] WARN - aultBuildStartContextProcessor - Failed to fetch HashiCorp Vault wrapped token: null
java.lang.NullPointerException
at org.jetbrains.teamcity.vault.server.VaultConnector$Companion.doRequestWrappedToken(VaultConnector.kt:162)
at org.jetbrains.teamcity.vault.server.VaultConnector.requestWrappedToken(VaultConnector.kt:246)
at org.jetbrains.teamcity.vault.server.VaultBuildStartContextProcessor.updateParameters(VaultBuildStartContextProcessor.kt:51)
at jetbrains.buildServer.serverSide.impl.RunningBuildImpl.prepareRunners(RunningBuildImpl.java:1247)
at jetbrains.buildServer.serverSide.impl.RunningBuildImpl.createAgentBuild(RunningBuildImpl.java:1037)
at jetbrains.buildServer.serverSide.impl.BuildStarter$1.run(BuildStarter.java:132)
at jetbrains.buildServer.serverSide.impl.BuildStarter$2$1.run(BuildStarter.java:165)
at jetbrains.buildServer.util.NamedThreadFactory.executeWithNewThreadName(NamedThreadFactory.java:71)
at jetbrains.buildServer.serverSide.impl.BuildStarter$2.run(BuildStarter.java:163)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
ERROR: I/O error on POST request for "https://10.101.4.147:8200/v1/auth/approle/login": Connect to 10.101.4.147:8200 [/10.101.4.147] failed: connect timed out; nested exception is org.apache.http.conn.ConnectTimeoutException: Connect to 10.101.4.147:8200 [/10.101.4.147] failed: connect timed out
I tried to set up a Vault Connection using IAM Authentication. When I clicked "Test Connection", I got a popup with the error:
java.lang.LinkageError: loader constraint violation: when resolving method 'void org.springframework.http.converter.json.MappingJackson2HttpMessageConverter.<init>(com.fasterxml.jackson.databind.ObjectMapper)' the class loader jetbrains.buildServer.plugins.classLoaders.PluginStandaloneClassLoader @178aded3 of the current class, org/springframework/vault/client/VaultResponses, and the class loader org.apache.catalina.loader.ParallelWebappClassLoader @14d1b094 for the method's defining class, org/springframework/http/converter/json/MappingJackson2HttpMessageConverter, have different Class objects for the type com/fasterxml/jackson/databind/ObjectMapper used in the signature (org.springframework.vault.client.VaultResponses is in unnamed module of loader jetbrains.buildServer.plugins.classLoaders.PluginStandaloneClassLoader @178aded3, parent loader org.apache.catalina.loader.ParallelWebappClassLoader @14d1b094; org.springframework.http.converter.json.MappingJackson2HttpMessageConverter is in unnamed module of loader org.apache.catalina.loader.ParallelWebappClassLoader @14d1b094, parent loader java.net.URLClassLoader @20398b7c)
Subsequents attempts to click "Test Connection" give a different error message:
java.lang.NoClassDefFoundError: Could not initialize class org.springframework.vault.client.VaultResponses
This occurred on TeamCity Enterprise 2022.04.4 (build 108763) using version 0.1.113 of this plugin and Temurin JDK 11.0.16+8 (AdoptOpenJDK).
There is a security/usage issue with this plugin in TC.
Plugin allows you to configure only one connection to Vault, so it means you can run only 1 AppRole, but I think I am not the only one, who has use case where multiple different teams can store secrets in Vault and use with TC, but they do not want that anyone else could access it.
So after making AppRole, you add all the policies which could be used with that AppRole and the safeguard would be a secret path, without exact path you can't get the secret values.
Currently plugin gives the output to buildlog, so partialy anyone can look at build log and see this information.
[12:38:00]
The build is removed from the queue to be prepared for the start
[12:38:00]
Starting the build on the agent build-agent-name
[12:38:01]
HashiCorp Vault
[12:38:01]
[HashiCorp Vault] HashiCorp Vault token successfully fetched
[12:38:01]
[HashiCorp Vault] 1 Vault reference to resolve: [vault:secret/path/to/some/very/secret!/value]
[12:38:01]
Clearing temporary directory: /mnt/temp/buildTmp
[12:38:01]
Publishing internal artifacts
It doesn't help if you make hidden or password in parameters, because it's exposed in a code.
Would be great to have opportunity to "silence" this.
It's actually cause of #4.
Sometimes when we trying to get wrapped token server responds with
HTTP/1.1 307 Temporary Redirect
Cache-Control: no-store
Location: https://vault-node-2.internal:8200/v1/auth/approle/login
Date: Mon, 27 Nov 2017 15:16:51 GMT
Content-Length: 0
Content-Type: text/plain; charset=utf-8
In #11 was the comment -
"Unfortunately it's unclear how do that automatically since secret backend could be mounted anywhere"
Actually, it is not a very comfortable to update manually hundreds parameter variables which use values from Vault (secret/test -> secret/data/test) in case of migration from KV to KV v2.
However, I guess that it is possible to get a secret backend name from a secret path - the first word (e.g. secret/test -> secret/) and then use such request:
"curl --header "X-Vault-Token: " <VAULT_ADDRESS>/v1/sys/mounts"
for checking a version of secret backend. The Vault ACL rule is required for this:
path "sys/mounts" {
policy = "read"
}
I'd like to pay your attention that secret backend v1 can be have two possible types:
"kv"
"generic".
It makes migration process (KV -> KVv2) much more easier in case the plugin will be able to identify KV version on the fly
After upgrade to TeamCity Enterprise 2021.1 (build 92597) plugin stopped working:
Failed to fetch HashiCorp Vault wrapped token: com.fasterxml.jackson.datatype.jdk8.Jdk8Module cannot be cast to com.fasterxml.jackson.databind.Module: java.lang.ClassCastException: com.fasterxml.jackson.datatype.jdk8.Jdk8Module cannot be cast to com.fasterxml.jackson.databind.Module, see teamcity-server.log for details
teamcity-server.log:
[2021-06-01 10:07:30,581] WARN - aultBuildStartContextProcessor - Failed to fetch HashiCorp Vault wrapped token: com.fasterxml.jackson.datatype.jdk8.Jdk8Module cannot be cast to com.fasterxml.jackson.databind.Module
java.lang.ClassCastException: com.fasterxml.jackson.datatype.jdk8.Jdk8Module cannot be cast to com.fasterxml.jackson.databind.Module
at org.jetbrains.teamcity.vault.support.Jackson2ObjectMapperBuilder.registerWellKnownModulesIfAvailable(Jackson2ObjectMapperBuilder.java:140)
at org.jetbrains.teamcity.vault.support.Jackson2ObjectMapperBuilder.configure(Jackson2ObjectMapperBuilder.java:85)
at org.jetbrains.teamcity.vault.support.Jackson2ObjectMapperBuilder.build(Jackson2ObjectMapperBuilder.java:72)
at org.jetbrains.teamcity.vault.support.MappingJackson2HttpMessageConverter.(MappingJackson2HttpMessageConverter.java:50)
at org.jetbrains.teamcity.vault.UtilKt.createRestTemplate(util.kt:97)
at org.jetbrains.teamcity.vault.UtilKt.createRestTemplate(util.kt:74)
at org.jetbrains.teamcity.vault.support.VaultTemplate.createSessionTemplate(VaultTemplate.java:102)
at org.jetbrains.teamcity.vault.support.VaultTemplate.(VaultTemplate.java:76)
at org.jetbrains.teamcity.vault.server.VaultConnector$Companion.doRequestWrappedToken(VaultConnector.kt:167)
at org.jetbrains.teamcity.vault.server.VaultConnector.requestWrappedToken(VaultConnector.kt:239)
at org.jetbrains.teamcity.vault.server.VaultBuildStartContextProcessor.updateParameters(VaultBuildStartContextProcessor.kt:88)
at jetbrains.buildServer.serverSide.impl.RunningBuildImpl.prepareRunners(RunningBuildImpl.java:202)
at jetbrains.buildServer.serverSide.impl.RunningBuildImpl.createAgentBuild(RunningBuildImpl.java:2)
at jetbrains.buildServer.serverSide.impl.BuildStarter.startBuildOnAgent(BuildStarter.java:200)
at jetbrains.buildServer.serverSide.impl.BuildStarter.afterChangesCollecting(BuildStarter.java:161)
at jetbrains.buildServer.serverSide.impl.BuildStarter.waitForChangesCollectingAndContinue(BuildStarter.java:167)
at jetbrains.buildServer.serverSide.impl.BuildStarter.lambda$null$0(BuildStarter.java:201)
at jetbrains.buildServer.serverSide.impl.BuildStarter.handleBuildStartAction(BuildStarter.java:76)
at jetbrains.buildServer.serverSide.impl.BuildStarter.lambda$null$1(BuildStarter.java:117)
at jetbrains.buildServer.util.NamedThreadFactory.executeWithNewThreadName(NamedThreadFactory.java:76)
at jetbrains.buildServer.serverSide.impl.BuildStarter.lambda$startBuildAsync$2(BuildStarter.java:317)
at java.util.concurrent.CompletableFuture$AsyncRun.run(CompletableFuture.java:1626)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
[2021-06-01 10:07:30,612] INFO - jetbrains.buildServer.SERVER - Build interrupted (INTERRUPTED_WITH_RERUN) with details: [comment: Failed to fetch HashiCorp Vault wrapped token: com.fasterxml.jackson.datatype.jdk8.Jdk8Module cannot be cast to com.fasterxml.jackson.databind.Module: java.lang.ClassCastException: com.fasterxml.jackson.datatype.jdk8.Jdk8Module cannot be cast to com.fasterxml.jackson.databind.Module, see teamcity-server.log for details]. Build: MedM Backend Images Builder / health_backend builds {id=MedMBackendImagesBuilder_HealthBackendBuilds, internal id=bt3438} #1616 {promotion id=423591, branch=CUSTOMER_LIFE365, agent="server-6" {id=2509}, triggered by "Git" (##vcsName='jetbrains.git' type='vcs' triggerId='vcsTrigger'), canceled=[comment: Failed to fetch HashiCorp Vault wrapped token: com.fasterxml.jackson.datatype.jdk8.Jdk8Module cannot be cast to com.fasterxml.jackson.databind.Module: java.lang.ClassCastException: com.fasterxml.jackson.datatype.jdk8.Jdk8Module cannot be cast to com.fasterxml.jackson.databind.Module, see teamcity-server.log for details]. Started 2021-06-01 10:07:28.162, running}
Add teamcity.vault.supported requirement to all sub-builds. This feature will exclude incompatible agents from agent list automatically.
Using the Teamcity plugin I am trying to login to azure using a dynamic service principal however it does not seem possible because it needs to return two parameters : "client_id" and "client_secret"
I tried to do :
%vault:azure/creds/role1!/client_id%
%vault:azure/creds/role1!/client_secret%
in two different parameters. But it generates two service principals.
I tried to concatenate it in one like so "%vault:azure/creds/role1!/client_id%,%vault:azure/creds/role1!/client_secret%" but it did the same thing.
I tried to read this path instead "%vault:azure/creds/role1%" but it did not return anything and returned an error.
Is what I'm trying to do something possible or I am completely on the wrong track ?
Thank you :)
Retrieving non-secret information from Vault, for example, project name or login, renders all attributes with such substring to become unusable: plugin replaces every occurence with "*******". So, dependent builds take garbage as an input.
Is there a way to use LDAP authentication instead of approle?
Tried to change a path to the following formats:
%vault:/secret/data/test!/password%"
%vault:/vault/secret/data/test!/password%"
%vault:vault/secret/data/test!/password%"
%vault:/secret/test!/password%"
%vault:secret/data/test!/password%"
%vault:secret/data/test!password%"
Seems org.jetbrains.teamcity.vault.agent.VaultBuildFeature keeps some sessions map where key is a build id and value is some session manager. But this map is never cleaned, even on build finish.
Observed next line in build log:
Cannot revoke HashiCorp Vault token: I/O error on POST request for "https://vault.consul:8200/v1/auth/token/revoke-self": Read timed out; nested exception is java.net.SocketTimeoutException: Read timed out
org.jetbrains.teamcity.vault.support.LifecycleAwareSessionManager#revoke
should retry several times
Using vault 1.1.3
Having a K/V 2 keys configured in TeamCity properties as:
prop1: %vault:kv/data/creds!/user1%
prop2: %vault:kv/data/creds!/vasya.p%
The value of prop1 extracts OK
The value of prop2 (wich contains dot in its key) doesnt. The build fails with WARN? (shouldnt it be at least ERROR severity?):
[2019-07-04 10:54:24,915] WARN - .agent.VaultParametersResolver - Cannot extract 'vasya.p' data from '/kv/data/creds', full reference: /kv/data/creds!/vasya.p
com.jayway.jsonpath.PathNotFoundException: Missing property in path $['vasya']
at com.jayway.jsonpath.internal.path.PathToken.handleObjectProperty(PathToken.java:72)
at com.jayway.jsonpath.internal.path.PropertyPathToken.evaluate(PropertyPathToken.java:79)
at com.jayway.jsonpath.internal.path.RootPathToken.evaluate(RootPathToken.java:62)
at com.jayway.jsonpath.internal.path.CompiledPath.evaluate(CompiledPath.java:53)
at com.jayway.jsonpath.internal.path.CompiledPath.evaluate(CompiledPath.java:61)
at com.jayway.jsonpath.JsonPath.read(JsonPath.java:187)
at com.jayway.jsonpath.JsonPath.read(JsonPath.java:157)
at org.jetbrains.teamcity.vault.agent.VaultParametersResolver$VaultParametersFetcher.extract(VaultParametersResolver.kt:161)
at org.jetbrains.teamcity.vault.agent.VaultParametersResolver$VaultParametersFetcher.getReplacements(VaultParametersResolver.kt:117)
at org.jetbrains.teamcity.vault.agent.VaultParametersResolver$VaultParametersFetcher.doFetchAndPrepareReplacements(VaultParametersResolver.kt:84)
at org.jetbrains.teamcity.vault.agent.VaultParametersResolver.doFetchAndPrepareReplacements(VaultParametersResolver.kt:74)
at org.jetbrains.teamcity.vault.agent.VaultParametersResolver.doFetchAndPrepareReplacements(VaultParametersResolver.kt:70)
at org.jetbrains.teamcity.vault.agent.VaultParametersResolver.resolve(VaultParametersResolver.kt:51)
at org.jetbrains.teamcity.vault.agent.VaultBuildFeature$buildStarted$$inlined$forEach$lambda$1.invoke(VaultBuildFeature.kt:136)
at org.jetbrains.teamcity.vault.agent.VaultBuildFeature$buildStarted$$inlined$forEach$lambda$1.invoke(VaultBuildFeature.kt:33)
at org.jetbrains.teamcity.vault.UtilKt.activity(util.kt:155)
at org.jetbrains.teamcity.vault.agent.VaultBuildFeature.buildStarted(VaultBuildFeature.kt:79)
at sun.reflect.GeneratedMethodAccessor35.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at jetbrains.buildServer.util.EventDispatcher$3.run(EventDispatcher.java:128)
at jetbrains.buildServer.util.NamedThreadFactory.executeWithNewThreadName(NamedThreadFactory.java:76)
at jetbrains.buildServer.util.EventDispatcher.dispatch(EventDispatcher.java:122)
at jetbrains.buildServer.util.EventDispatcher$2.invoke(EventDispatcher.java:72)
at com.sun.proxy.$Proxy7.buildStarted(Unknown Source)
at jetbrains.buildServer.agent.impl.buildStages.startStages.FireBuildStartedStage.doBuildState(FireBuildStartedStage.java:20)
at jetbrains.buildServer.agent.impl.buildStages.startStages.FireEventStageBase.doBuildStage(FireEventStageBase.java:26)
at jetbrains.buildServer.agent.impl.buildStages.BuildStagesExecutor$1.callStage(BuildStagesExecutor.java:31)
at jetbrains.buildServer.agent.impl.buildStages.BuildStagesExecutor$1.callStage(BuildStagesExecutor.java:24)
at jetbrains.buildServer.agent.impl.buildStages.StagesExecutor.callRunStage(StagesExecutor.java:78)
at jetbrains.buildServer.agent.impl.buildStages.StagesExecutor.doStages(StagesExecutor.java:37)
at jetbrains.buildServer.agent.impl.buildStages.BuildStagesExecutor.doStages(BuildStagesExecutor.java:24)
at jetbrains.buildServer.agent.impl.BuildRunActionImpl.doStages(BuildRunActionImpl.java:79)
at jetbrains.buildServer.agent.impl.BuildRunActionImpl.runBuild(BuildRunActionImpl.java:55)
at jetbrains.buildServer.agent.impl.BuildAgentImpl.doActualBuild(BuildAgentImpl.java:309)
at jetbrains.buildServer.agent.impl.BuildAgentImpl.access$100(BuildAgentImpl.java:54)
at jetbrains.buildServer.agent.impl.BuildAgentImpl$1.run(BuildAgentImpl.java:272)
at java.lang.Thread.run(Unknown Source)
Hey,
I cannot make this plugin to connect to Vault.
Pressing a "Test Connection" prompts an error, that client token is missing.
Running a build gives the same output.
Failed to fetch HashiCorp Vault wrapped token: Cannot log in to HashiCorp Vault using AppRole credentials: missing client token: org.jetbrains.teamcity.vault.server.VaultConnector$ConnectionException: Cannot log in to HashiCorp Vault using AppRole credentials: missing client token, see teamcity-server.log for details`
Doing an API call curl --request POST --data @approle-login.json https://my_vault_address:8200/v1/auth/approle/login
I am able to login with the following json
{
"role_id": "bc616551-27e4-c747-6817-0b57efc6c5b3",
"secret_id": "db69f043-7588-95d0-ca1e-3eae912b057b"
}
I get the following reply in JSON
{
"request_id": "e19a51ec-c06a-394e-5c3e-e9c2390a6d25",
"lease_id": "",
"renewable": false,
"lease_duration": 0,
"data": null,
"wrap_info": null,
"warnings": null,
"auth": {
"client_token": "734c0d87-491f-07cb-c1e7-03adea9491fd",
"accessor": "6fb6d92f-e6dc-05f2-3794-512b5b7add9e",
"policies": [
"policy_1",
"default",
"policy_2"
],
"token_policies": [
"policy_1",
"default",
"policy_2"
],
"metadata": {
"app": "teamcity",
"role_name": "teamcity"
},
"lease_duration": 600,
"renewable": true,
"entity_id": "3d5eed9e-4f23-ebc5-4366-6ad3fcbad804"
}
}
This is a request to add support for mTLS auth to the teamcity vault plugin.
Ideally, rather than providing an AppRole, I would like to use a pkey to be used for authentication to vault and generating the wrapping tokens that are sent to agents.
Agents could continue to use the temporary tokens they are issued and unwrap.
Installed the plug-in, restarted the server and tried logging in to Vault using LDAP. Clicking the "Test Connection" button produces the following error: "Unexpected error during Ajax request processing: java.lang.NoClassDefFoundError: org/springframework/web/util/UriBuilderFactory".
Weยดre using TeamCity Enterpris 2021.2 (build 99542)
There doesn't seem to be much happening here and key features like support for the AWS backend don't seem to have gotten further than the initial blog post mentioning it's not working.
TeamCity Enterprise 2019.2.2 (build 71923)
Plugin 2021 0.1.98
Hi,
I have uploaded a GCP service account key to Vault from a JSON file.
$ vault kv get kv/store/gcp
====== Metadata ======
Key Value
--- -----
created_time 2020-09-14T16:13:34.5395125Z
deletion_time n/a
destroyed false
version 1
=============== Data ===============
Key Value
--- -----
auth_provider_x509_cert_url https://www.googleapis.com/oauth2/v1/certs
auth_uri https://accounts.google.com/o/oauth2/auth
client_email [email protected]
client_id 00000000000
client_x509_cert_url https://www.googleapis.com/robot/v1/metadata/x509/0000000-compute%40developer.gserviceaccount.com
private_key -----BEGIN PRIVATE KEY-----
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
yyyyyyy==
-----END PRIVATE KEY-----
private_key_id 00000000000000000000
project_id myproject_id
token_uri https://oauth2.googleapis.com/token
type service_account
Ideally I want to pull the whole entry out. But I will settle for fields.
So on the TC side I have a variable GCP_CREDS: %vault:/kv/data/store/gcp!/private_key%
Added this in a build step at I can't debug the creds in TC! ๐
echo "${GCP_CREDS}" > ./gcp_creds
On the agent host
$ cat gcp_creds
-----BEGIN
$
It seems to chop at the first white space?
With agent debug set to max on the agent, I can see the whole GCP key arriving intact . I then see [2021-03-04 12:42:32,310] DEBUG - ath.internal.path.CompiledPath - Evaluating path: $['private_key']
I tried a few ideas on here: https://github.com/json-path/JsonPath as theis seems to be what the code is based on. No joy.
Any ideas? Is it just my iffy BASH in the build step? :)
The vault plugin works fine for simple key value pairs. I can extract any other field from the GCP data correctly, just not "private_key" !
I have a successful connection to Vault. I have pulled passwords from the Vault inside the Build Steps successfully. But I can't use them inside of Build Features (Commit status publisher - GitLab - Private Token). Why?
Server Version: TeamCity Professional 2022.10.3 (build 117072)
jetbrains/teamcity-server:2022.10.3 (docker image ID: c0edf4d5ae59)
Vault plugin version: 0.1.119
Agent: jetbrains/teamcity-agent (docker image ID: 45f54a688267)
Documentation referred:
Steps to reproduce:
#!/bin/bash
echo SECRET=${SECRET}
Expected Output
SECRET="ActualSecrethere"
Actual Output:
SECRET=%vault:devops/data/api-keys!/devops-na!/secret%
This is same as variable value itself.
Other options tried:
Build Log:
[07:50:57] : [Step 1/1] Starting: /opt/buildagent/temp/agentTmp/custom_script4451755130190608596
[07:50:57] : [Step 1/1] in directory: /opt/buildagent/work/2b35ac7e0452d98f
[07:50:57] : [Step 1/1] VAULT_SUPPORTED=true
[07:50:57] : [Step 1/1] SECRET=%vault:devops/data/api-keys!/devops-na!/secret%
[07:50:57] : [Step 1/1] AWS_SECRET=%vault:aws/data/creds/developer!/access_key%
[07:50:57] : [Step 1/1] Process exited with code 0
[07:50:57] : Publishing internal artifacts
I have read other reported issues in this repo already and the options haven't helped much.
Note that using vault utility on bash works fine though.
This feature prevents the timeout exceeded during long checkout and disk clean with the following error:
[HashiCorp Vault ('staging' namespace)] Failed to unwrap HashiCorp Vault token: Cannot retrieve Token from Cubbyhole: 403 permission denied
org.springframework.vault.VaultException: Cannot retrieve Token from Cubbyhole: 403 permission denied
I configured the plugin to connect to Vault and the "Test connection" is showing that the connection is working.
But the parameter isn't working and i see the message:
Parameter "env.arg=%vault:vault/path!key%" is not fully resolved, using as is.
In the build log
[HH:MM:SS]W: HashiCorp Vault
[HH:MM:SS] : [HashiCorp Vault] HashiCorp Vault token successfully fetched
[HH:MM:SS] : [HashiCorp Vault] 1 Vault references to resolve: [vault:vault/path!key]
[HH:MM:SS]W: [HashiCorp Vault] Failed to fetch data for path 'vault/path!key'
[HH:MM:SS]W: [HashiCorp Vault] Cannot resolve 'vault/path!key': data wasn't received from HashiCorp Vault
Also in the build parameters i see that the plugins seems to be installed:
teamcity.vault.supported = true
teamcity.vault.url = http://vault-server:8200
teamcity.vault.wrapped.token = <XXXXXXX>
TeamCity version: 2017.1.4 (build 47070)
TeamCity HashiCorp Vault Support version: 0.1.43
How can i check the logs/debug why it's not working properly?
In many cases, it is useless to continue to build w/o some data from Vault.
There's exceptio non agent side which could be found only in agent logs:
Error calling method AgentLifeCycleListener.buildStarted for listener org.jetbrains.teamcity.vault.agent.VaultBuildFeature: java.lang.NoClassDefFoundError: org/apache/http/conn/SchemePortResolver
at jetbrains.buildServer.util.EventDispatcher$3.run(EventDispatcher.java:146)
at jetbrains.buildServer.util.NamedThreadFactory.executeWithNewThreadName(NamedThreadFactory.java:76)
at jetbrains.buildServer.util.EventDispatcher.dispatch(EventDispatcher.java:120)
at jetbrains.buildServer.util.EventDispatcher$2.invoke(EventDispatcher.java:70)
at com.sun.proxy.$Proxy7.buildStarted(Unknown Source)
at jetbrains.buildServer.agent.impl.buildStages.startStages.FireBuildStartedStage.doBuildState(FireBuildStartedStage.java:20)
at jetbrains.buildServer.agent.impl.buildStages.startStages.FireEventStageBase.doBuildStage(FireEventStageBase.java:26)
at jetbrains.buildServer.agent.impl.buildStages.BuildStagesExecutor$1.callStage(BuildStagesExecutor.java:31)
at jetbrains.buildServer.agent.impl.buildStages.BuildStagesExecutor$1.callStage(BuildStagesExecutor.java:24)
at jetbrains.buildServer.agent.impl.buildStages.StagesExecutor.callRunStage(StagesExecutor.java:78)
at jetbrains.buildServer.agent.impl.buildStages.StagesExecutor.doStages(StagesExecutor.java:37)
at jetbrains.buildServer.agent.impl.buildStages.BuildStagesExecutor.doStages(BuildStagesExecutor.java:24)
at jetbrains.buildServer.agent.impl.BuildRunActionImpl.doStages(BuildRunActionImpl.java:75)
at jetbrains.buildServer.agent.impl.BuildRunActionImpl.runBuild(BuildRunActionImpl.java:55)
at jetbrains.buildServer.agent.impl.BuildAgentImpl.doActualBuild(BuildAgentImpl.java:300)
at jetbrains.buildServer.agent.impl.BuildAgentImpl.access$100(BuildAgentImpl.java:54)
at jetbrains.buildServer.agent.impl.BuildAgentImpl$1.run(BuildAgentImpl.java:264)
at java.lang.Thread.run(Thread.java:748)
Caused by: java.lang.NoClassDefFoundError: org/apache/http/conn/SchemePortResolver
at org.jetbrains.teamcity.vault.support.ClientHttpRequestFactoryFactory.create(ClientHttpRequestFactoryFactory.java:69)
at org.jetbrains.teamcity.vault.UtilKt.createClientHttpRequestFactory(util.kt:59)
at org.jetbrains.teamcity.vault.UtilKt.createRestTemplate(util.kt:64)
at org.jetbrains.teamcity.vault.agent.VaultBuildFeature$buildStarted$$inlined$forEach$lambda$1.invoke(VaultBuildFeature.kt:96)
at org.jetbrains.teamcity.vault.agent.VaultBuildFeature$buildStarted$$inlined$forEach$lambda$1.invoke(VaultBuildFeature.kt:33)
at org.jetbrains.teamcity.vault.UtilKt.activity(util.kt:155)
at org.jetbrains.teamcity.vault.agent.VaultBuildFeature.buildStarted(VaultBuildFeature.kt:79)
at sun.reflect.GeneratedMethodAccessor32.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at jetbrains.buildServer.util.EventDispatcher$3.run(EventDispatcher.java:126)
... 17 more
Caused by: java.lang.ClassNotFoundException: Class 'org.apache.http.conn.SchemePortResolver' was not found
at jetbrains.buildServer.plugins.classLoaders.TeamCityClassLoader.doLoadClass(TeamCityClassLoader.java:85)
at jetbrains.buildServer.plugins.classLoaders.TeamCityClassLoader.loadClass(TeamCityClassLoader.java:40)
This is feature request to implement login to Vault using AWS IAM auth method
Currently, the plugin logs into Vault using a Vault approle auth. This presents us with a number of issues:
role-id
and secret-id
, which is then used by systems to authenticate to that secret store. Albeit doable, it's difficult to automate the configuration of the pluginrole-id
and secret-id
requires intervention to refresh on TeamCity server siderole-id
and secret-id
are configured in the plugin to enable TeamCity to authenticate to Vault, and those information are stored on the filesystem of TeamCity serverrole-id
and secret-id
are stored on file, should someone gain access to TeamCity server, that person could retrieve those information and generate tokens and gain access to the secretsGiven the reasons mentioned above and given the current state of the plugin, would it be possible to implement the authentication to Vault using AWS IAM auth method? We are willing to work on a Pull Request should this feature make sense in the plugin.
Vault Version is 1.7.2.
Unexpected error occurred on server:<br/>Unexpected error during Ajax request processing: java.lang.NoClassDefFoundError: Could not initialize class org.springframework.vault.client.VaultResponses 6916222305304872546.js:5:790
_log https://localhost:8080/res/6916222305304872546.js?v=1623926069989:5
error https://localhost:8080/res/6916222305304872546.js?v=1623926069989:5
onUnexpectedError https://localhost:8080/res/6916222305304872546.js?v=1623926069989:5
processErrors https://localhost:8080/res/6916222305304872546.js?v=1623926069989:10
onComplete https://localhost:8080/res/6916222305304872546.js?v=1623926069989:5
respondToReadyState https://localhost:8080/res/-4735258447288317237.js?v=1623926069989:8
onStateChange https://localhost:8080/res/-4735258447288317237.js?v=1623926069989:8
request https://localhost:8080/res/-4735258447288317237.js?v=1623926069989:8
initialize https://localhost:8080/res/-4735258447288317237.js?v=1623926069989:8
c https://localhost:8080/res/-4735258447288317237.js?v=1623926069989:5
e https://localhost:8080/res/-4735258447288317237.js?v=1623926069989:5
ajaxRequest https://localhost:8080/res/6916222305304872546.js?v=1623926069989:5
save https://localhost:8080/res/6916222305304872546.js?v=1623926069989:36
save https://localhost:8080/res/6916222305304872546.js?v=1623926069989:37
submitTestConnection https://localhost:8080/res/-4735258447288317237.js?v=1623926069989 line 6 > eval:4
onclick https://localhost:8080/admin/editProject.html?projectId=_Root&tab=oauthConnections#:1
It would be nice and useful to see variable description and a default value if they exist.
variable "desired_capacity" {
description = "The maximum size of the auto scale group."
default = "3"
}
Hi all,
Correct me if I'm wrong but I cannot find anything related to the subject. Can anyone confirm that this plugin compatible with Vault Enterprise Namespaces?
I saw #10 issue but that didn't solve my problem and looks like that is for multiple sessions with default Vault namespace.
Vault allows to mount auth-backend of any type to any path. Currently this path seems to be hardcoded as "approle".
For example with multiple approle backends I could mount one like this:
vault auth-enable -path teamcity/datacenter1 approle
After that post requests should go to /auth/teamcity/datacenter1/...
instead of /auth/approle/...
I had a problem with Vault plugin after read documentation from post: https://blog.jetbrains.com/teamcity/2017/09/vault/
Correct format:
%vault:secret/some/path!/somekey%
From documentation:
%vault:secret/some/path!somekey%
Is the post an only one official documentation?
There is a issue, which helped me to solve the problem: #1
But, documentation is still incorrect. Fix it, please.
I successfully connected the Vault. Delivery of secrets to build step works. But it is not possible to specify the login for authorization of the VCS (i use configuration parameters).
Why?
If request to Vault fails, it makes sense to retry before failing the build.
This is probbaly actual for the server and agent operations.
BTW, in case of the network errors, it would make sense to include the original error in the build log message.
Here is an example of the failing agent operation:
Build log:
Failed to fetch data for path '/aws-XXX/sts/XXX'
Cannot resolve '/aws-XXX/sts/XXX!/access_key': data wasn't received from HashiCorp Vault
Agent log:
[2021-11-22 14:34:29,052] WARN - .agent.VaultParametersResolver - Failed to fetch data for path '/aws-XXX/sts/XXX'
org.springframework.web.client.ResourceAccessException: I/O error on GET request for "https://vault.XXX:443/v1/aws-XXX/sts/XXX": Connect to vault.XXX:443 [...] failed: connect timed out; nested exception is org.apache.http.conn.ConnectTimeoutException: Connect to vault.XXX:443 [...] failed: connect timed out
at org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:607)
at org.springframework.web.client.RestTemplate.execute(RestTemplate.java:557)
at org.springframework.web.client.RestTemplate.getForObject(RestTemplate.java:264)
at org.jetbrains.teamcity.vault.support.VaultTemplate$3.doWithRestOperations(VaultTemplate.java:180)
at org.jetbrains.teamcity.vault.support.VaultTemplate.doWithSession(VaultTemplate.java:166)
at org.jetbrains.teamcity.vault.support.VaultTemplate.doRead(VaultTemplate.java:174)
at org.jetbrains.teamcity.vault.support.VaultTemplate.read(VaultTemplate.java:135)
at org.jetbrains.teamcity.vault.agent.VaultParametersResolver$VaultParametersFetcher.fetch(VaultParametersResolver.kt:94)
at org.jetbrains.teamcity.vault.agent.VaultParametersResolver$VaultParametersFetcher.doFetchAndPrepareReplacements(VaultParametersResolver.kt:82)
at org.jetbrains.teamcity.vault.agent.VaultParametersResolver.doFetchAndPrepareReplacements(VaultParametersResolver.kt:74)
at org.jetbrains.teamcity.vault.agent.VaultParametersResolver.doFetchAndPrepareReplacements(VaultParametersResolver.kt:70)
at org.jetbrains.teamcity.vault.agent.VaultParametersResolver.resolve(VaultParametersResolver.kt:51)
at org.jetbrains.teamcity.vault.agent.VaultBuildFeature$buildStarted$$inlined$forEach$lambda$1.invoke(VaultBuildFeature.kt:138)
at org.jetbrains.teamcity.vault.agent.VaultBuildFeature$buildStarted$$inlined$forEach$lambda$1.invoke(VaultBuildFeature.kt:35)
at org.jetbrains.teamcity.vault.UtilKt.activity(util.kt:171)
at org.jetbrains.teamcity.vault.agent.VaultBuildFeature.buildStarted(VaultBuildFeature.kt:79)
at sun.reflect.GeneratedMethodAccessor96.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at jetbrains.buildServer.util.EventDispatcher$3.run(EventDispatcher.java:138)
at jetbrains.buildServer.util.NamedThreadFactory.executeWithNewThreadName(NamedThreadFactory.java:76)
at jetbrains.buildServer.util.EventDispatcher.dispatch(EventDispatcher.java:132)
at jetbrains.buildServer.util.EventDispatcher$2.invoke(EventDispatcher.java:82)
at com.sun.proxy.$Proxy7.buildStarted(Unknown Source)
at jetbrains.buildServer.agent.impl.buildStages.startStages.FireBuildStartedStage.doBuildState(FireBuildStartedStage.java:20)
at jetbrains.buildServer.agent.impl.buildStages.startStages.FireEventStageBase.doBuildStage(FireEventStageBase.java:28)
at jetbrains.buildServer.agent.impl.buildStages.BuildStagesExecutor$1.callStage(BuildStagesExecutor.java:33)
at jetbrains.buildServer.agent.impl.buildStages.BuildStagesExecutor$1.callStage(BuildStagesExecutor.java:24)
at jetbrains.buildServer.agent.impl.buildStages.StagesExecutor.callRunStage(StagesExecutor.java:76)
at jetbrains.buildServer.agent.impl.buildStages.StagesExecutor.doStages(StagesExecutor.java:35)
at jetbrains.buildServer.agent.impl.buildStages.BuildStagesExecutor.doStages(BuildStagesExecutor.java:24)
at jetbrains.buildServer.agent.impl.BuildRunActionImpl.doStages(BuildRunActionImpl.java:81)
at jetbrains.buildServer.agent.impl.BuildRunActionImpl.runBuild(BuildRunActionImpl.java:57)
at jetbrains.buildServer.agent.impl.BuildAgentImpl.doActualBuild(BuildAgentImpl.java:332)
at jetbrains.buildServer.agent.impl.BuildAgentImpl.access$200(BuildAgentImpl.java:58)
at jetbrains.buildServer.agent.impl.BuildAgentImpl$1.run(BuildAgentImpl.java:287)
at java.lang.Thread.run(Thread.java:748)
Caused by: org.apache.http.conn.ConnectTimeoutException: Connect to vault.XXX:443 [...] failed: connect timed out
at org.apache.http.impl.conn.HttpClientConnectionOperator.connect(HttpClientConnectionOperator.java:134)
at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:319)
at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:363)
at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:219)
at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:195)
at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:86)
at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:108)
at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:184)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:57)
at org.springframework.http.client.HttpComponentsClientHttpRequest.executeInternal(HttpComponentsClientHttpRequest.java:91)
at org.springframework.http.client.AbstractBufferingClientHttpRequest.executeInternal(AbstractBufferingClientHttpRequest.java:48)
at org.springframework.http.client.AbstractClientHttpRequest.execute(AbstractClientHttpRequest.java:53)
at org.springframework.http.client.InterceptingClientHttpRequest$InterceptingRequestExecution.execute(InterceptingClientHttpRequest.java:93)
at org.jetbrains.teamcity.vault.support.VaultTemplate$1.intercept(VaultTemplate.java:104)
at org.springframework.http.client.InterceptingClientHttpRequest$InterceptingRequestExecution.execute(InterceptingClientHttpRequest.java:85)
at org.springframework.http.client.InterceptingClientHttpRequest.executeInternal(InterceptingClientHttpRequest.java:69)
at org.springframework.http.client.AbstractBufferingClientHttpRequest.executeInternal(AbstractBufferingClientHttpRequest.java:48)
at org.springframework.http.client.AbstractClientHttpRequest.execute(AbstractClientHttpRequest.java:53)
at org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:596)
... 36 more
Caused by: java.net.SocketTimeoutException: connect timed out
at java.net.PlainSocketImpl.socketConnect(Native Method)
at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350)
at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206)
at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188)
at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392)
at java.net.Socket.connect(Socket.java:607)
at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:244)
at org.apache.http.impl.conn.HttpClientConnectionOperator.connect(HttpClientConnectionOperator.java:125)
... 55 more
Hi.
Found a very rare case with password eventually containing two percent symbols, separated by other symbols. If such password is passed via environment variable, plugin puts the parameter value instead of secret.
Version: TeamCity Enterprise 2019.2.2 (build 71923)
Steps to reproduce
{"password": "asdf%1234%zxcv"}
%vault:some/path!/password%
%vault:some/path!/password%
instead of password. This only happens with environment variable.{ "password": "qwer%teamcity.vault.supported%zxcv" }
, the enviromnent variable is templated with this parameter. This happens with both - variable and parameter used "as is".Hi,
I have lot of problems to connect with the plugin to my Vault instance. I get different errors when I tried some approach with the parameters.
1. With approle in the role path
2. With the path role that I used to read from cli
I used this role Id and secret Id in a http post request and it works:
POST: https://vaultinstance.com/v1/auth/approle/login
{
"role_id":"{{TEMP_ROLE_ID}}",
"secret_id": "{{TEMP_SECRET}}"
}
RESPONSE
{
"request_id": "",
"lease_id": "",
"renewable": false,
"lease_duration": 0,
"data": null,
"wrap_info": {
"token": "SSS",
"accessor": "DDDD",
"ttl": 120,
"creation_time": "2020-04-27T16:06:48.271773469Z",
"creation_path": "auth/approle/login",
"wrapped_accessor": "VVV"
},
"warnings": null,
"auth": null
}
TC Version: 2019.2.3 (build 72031)
Plugin version: 0.1.92 (got from TC compilation)
I would like to run multiple copies of the vault-plugin. We have a few globally accessible items but we also have some more restricted passwords that should only be accessible via a single project.
Looking at this line its has a constant of vault:*
but it would really be nice if you could just configure in the UI a namespace for example vault_my:*
This would allow me to access both the top level vault definition and the single project definition without conflict.
Whenever I'm enabling kv(v1) in particular path all secrets retrieves properly
[10:47:27]HashiCorp Vault
[10:47:28]HashiCorp Vault token successfully fetched
[10:47:28]5 Vault references to resolve: [vault:secret/data/keys!/roottoken, vault:secret/data/mysql/webapp!/db_name, vault:secret/data/mysql/webapp!/password, vault:secret/data/mysql/webapp!/url, vault:secret/data/mysql/webapp!/username]
but if I change the kv version to v2 (disable kv1 and enable kv2 in the same path, or simply enable kv2 in another path) it doesn't work and the only messages are as follow:
[2020-09-08 12:15:42,102] WARN - .agent.VaultParametersResolver - Cannot resolve '/secret/data/keys!/roottoken': data wasn't received from HashiCorp Vault
[2020-09-08 12:15:42,102] INFO - nt.impl.BuildRunAgentStateImpl - Stopping build on agent. Reason: fail and stop build command from the agent (Error while fetching data from HashiCorp Vault )
The policy is:
# Read-only permission on 'secret/data/*' path
path "secret/data/*" {
capabilities = [ "create", "read", "update", "delete", "list" ]
}
When, in one project, I try to set environment variables with kvs from multiple secrets, I get this error:
[HashiCorp Vault ('de_stage' namespace)] 4 Vault references to resolve: [vault:de_stage:/de/stage/external-model-ui!/external-model-ui-qa-access-key, vault:de_stage:/de/stage/external-model-ui!/external-model-ui-qa-secret-key, vault:de_stage:/de/stage/model-deployer!/model-deployer-access-key, vault:de_stage:/de/stage/model-deployer!/model-deployer-secret-key]
[15:17:13]
[HashiCorp Vault ('de_stage' namespace)] Failed to fetch data for path '/de/stage/model-deployer'
[15:17:13]
[HashiCorp Vault ('de_stage' namespace)] Cannot resolve '/de/stage/model-deployer!/model-deployer-access-key': data wasn't received from HashiCorp Vault
[15:17:13]
[HashiCorp Vault ('de_stage' namespace)] Cannot resolve '/de/stage/model-deployer!/model-deployer-secret-key': data wasn't received from HashiCorp Vault
If I only try to get from one secret, there are no issues.
HashiCorp's docs recommend that the IAM auth method be configured to use a nonce (X-Vault-AWS-IAM-Server-ID).
In addition, when the role name in Vault is different from the IAM role, the role name must be specified as well.
This plugin does not allow either values to be configured.
To be clear: as per HashiCorp's docs, a client that authenticates using the IAM method on the CLI would do something like the following:
vault login -method=aws header_value=vault.example.com role=dev-role-iam
This plugin needs to allow for the equivalent of the header_value and role above to be specified.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.