https://pulumi.com logo
Join Slack
Powered by
This message was deleted.
# aws
s
This message was deleted.
r
Hi, I'm mixing both AWS IAM and Hashicorp Vault in a Pulumi project
I use pulumi.ComponentResource to create some custom resources (HVault Policies, groups, appRole, and IAM roles)
The Pulumi doc is ... really light and I've struggle to make it work but for the moment I've got something
1. I create my aws roles with Pulumi
2. I create my vault.aws.SecretBackend with my aws access keys
3. I create my appRoleBackend with vault.AuthBackend
4. I create my HVault Policy & secretBackendRole that link my HVault Role to AWS Role with "assume_role"
5. I create my AuthBackendRole for my appRole to link an app role to a token policy
6. I create my HVault Groups that link a Group to a HVault Policy
What is working so far :
I can retrieve a connection token with an appRole
With these connection token my app or ci can connect to HVault for a limited amount of time and with a limited rights
When connected, my app or ci can retrieve a aws access_key and secret_key for a limited amount of time and with limited rights fullfiled by aws role
User (entities) linked to group can also retrieve aws acces-key and secret with the same limited rights
What is not working for the moment:
f
@red-fish-22980 Yeah, I've been able to do similar setup with Pulumi and it works fine. My particular concern is just about the patterns of using Pulumi to manage the IAM user and key pair that back an AWS secret method in Vault while also allowing Vault to be in charge of rotating that key. It seems as though using Pulumi for that particular bit of set-up may not be great, but I'm not sure if there's something I'm missing
r
Well we use HVault to manage our user and aws is only used through roles
So I don't think I've got the same problem than you
but again, I'm not an expert on the subject, I'm still learning
f
So when you set up your AWS secrets backend in Vault, do you set it up with credentials of its own, or do you use ambient credentials (e.g., your Vault is running in AWS, and it just uses your EC2 instance credentials)? If the backend has its own credentials, what creates those? Pulumi, or a separate process?
r
for the moment, I create AWS credentials with an other step of my CI and I put them manually in pulumi config
and in my Pulumi code, I use the config to create the AWS Secret Backend
* AWS Secret backend
*/
const awsBackend = new vault.aws.SecretBackend("aws", {
accessKey: cfg.require("aws_access_key"),
secretKey: cfg.requireSecret("aws_secret_key"),
region: cfg.require("aws_region")
})
f
OK 👍
My problem is that I'd like to be able to have Vault rotate those keys, which will then bring it into conflict with Pulumi
r
yes I understand, I will have to do the same in the future
I have no clue of how to manage that for the moment
f
Well, let me know if you find something that works, and I'll do the same for you 😅
r
👍
my main problem with pulumi is the doc
on how to manage pulumi.ComponentResource
f
what do you mean by managing a ComponentResource?
r
the doc is spread among tons of unusefull other topics
creating my own ComponentResource like I create classes in other languages
how does dependsOn works really, ...
f
dependsOn is generally useful for when you have resources that logically depend on each other, but where that dependency isn't represented in the inputs for that resource. That is, A actually depends on C, but A's constructor only takes B as an argument (and B doesn't directly depend on C). I had to do this with some Vault resources when I created a Namespace, but then needed to create a number of resources inside that Namespace. Unfortunately, because of the way the underlying Terraform Vault provider is designed, you don't actually pass a Namespace as an argument; you have to use an entirely separate provider instance. Because of this, I had to explicitly wire up that dependency with a 
depends_on
.
I do know that the Pulumi folks are actively soliciting feedback on the usability of the documentation, though... you might reach out to @brainy-church-78120 to share your concerns on that point.
r
ok, I'll do
9 Views
Open in Slack
PreviousNext
Powered by