Hi! esc seems pretty promising but I think there's a pretty big problem with the hashicorp vault int...

stale-belgium-7295

10/20/2023, 4:26 AM

Hi! esc seems pretty promising but I think there's a pretty big problem with the hashicorp vault integration, specially if you use vault HCP or vault enterprise (please correct me if I'm wrong). Here's your schema for vault-login -> link The problem stands here:

Copy code

"address": {
                    "type": "string",
                    "description": "The URL of the Vault server. Must contain a scheme and hostname, but no path."
                },

Must contain a scheme and hostname, but no path

. The problem is vault HCP/vault enterprise have a notion of namespace, and authentication methods are set at the namespace level, meaning that if I enable a

jwt

authentication in vault at the namespace level, I need to somehow specify the namespace when authenticating. Usually the namespace is either specified in the path, or via a header: • in the header

Copy code

curl --request POST \
     --header "X-Vault-Namespace: <NAMESPACE>" \
     --data '{"jwt": "'"$(cat $JWT_PATH)"'", "role": "'"$ROLE"'"}' \
     $VAULT_ADDR/v1/auth/jwt/login

• in the path

Copy code

curl --request POST \
     --data '{"jwt": "'"$(cat $JWT_PATH)"'", "role": "'"$ROLE"'"}' \
     $VAULT_ADDR/v1/<NAMESPACE>/auth/jwt/login

But it doesn't seem like we can configure which namespace to use in pulumi ESC's vault integration?

2 Views

Open in Slack

Previous Next

Pulumi Community

No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.