Go client SDK and command line utility designed to simplify integrations by automating key generation and certificate enrollment using Venafi machine identity services.
VCP is the only platform that has multiple backends that I know, so there needs to be some way to identify the region you are using.
For reference without using the --platform|-p flag, vcert defaults to the TPP API paths, e.g.
vcert enroll --url https://api.venafi.eu -t $VCP_ACCESS_TOKEN -z "Test1\Default" --cn gimme.cert.com --verbose --no-prompt --format json > mycert.json
vCert: 2024/07/25 13:06:18 Warning: --platform not set. Attempting to best-guess platform from connection flags
vCert: 2024/07/25 13:06:18 Successfully connected to Trust Protection Platform
vCert: 2024/07/25 13:06:18 Got 404 Not Found status for POST https://api.venafi.eu/vedsdk/certificates/checkpolicy
vCert: 2024/07/25 13:06:18 Invalid status: 404 Not Found Server response:
PROPOSED SOLUTION(S)
I would like to make the experience consistent for both regions users without adding more configuration. If anything we should reduce it.
Do away with --platform and infer the platform from --url. Based on the fact EU users have to provide it, why not make all provide it.
Add EU / US specific values to --platform|-p, eg. vcp-us|vcp-eu|vcp where vcp could default to api.venafi.cloud for backwards compatability.
Add a --region flag thats only applicable when using --platform vcp. Valid values EU|US
CURRENT ALTERNATIVES
N/A
VENAFI EXPERIENCE
I am currently a Venafi Employee.
ANY OTHER CONTEXT
When creating e service account with VCP EU tenant, I got a URL back like this:
I had just seen the .cloud suffix and therefore had not thought to change my follow up vcert enroll command.
For example in a EU tenant, to request a token via JWT, the command length / params are the same:
# EU / US
vcert getcred -p vcp --token-url $VCP_TOKEN_URL --external-jwt $JWT --verbose --format json
If I inteded to script with vcert CLI, then this command would change easily based on variable. The enroll comand however forces me to if and change the command based on region I am using.
BUSINESS PROBLEM
Currently
EUusers of VCP are at a disadvantage in that they require additional configuration to make use ofvcert.For example when requesting a cert:
US:
EU:
VCP is the only platform that has multiple backends that I know, so there needs to be some way to identify the region you are using.
For reference without using the
--platform|-pflag,vcertdefaults to the TPP API paths, e.g.PROPOSED SOLUTION(S)
I would like to make the experience consistent for both regions users without adding more configuration. If anything we should reduce it.
--platformand infer the platform from--url. Based on the fact EU users have to provide it, why not make all provide it.--platform|-p, eg.vcp-us|vcp-eu|vcpwherevcpcould default to api.venafi.cloud for backwards compatability.--regionflag thats only applicable when using--platform vcp. Valid valuesEU|USCURRENT ALTERNATIVES
N/AVENAFI EXPERIENCE
I am currently a Venafi Employee.
ANY OTHER CONTEXT
When creating e service account with VCP EU tenant, I got a URL back like this:
I had just seen the
.cloudsuffix and therefore had not thought to change my follow upvcert enrollcommand. For example in a EU tenant, to request a token via JWT, the command length / params are the same:If I inteded to script with
vcertCLI, then this command would change easily based on variable. Theenrollcomand however forces me toifand change the command based on region I am using.