Support for appRole based authentication for secretstores.hashicorp.vault

dapr / components-contrib

Community driven, reusable components for distributed apps

Apache License 2.0

540 stars 467 forks source link

Support for appRole based authentication for secretstores.hashicorp.vault #2231

Open neeta-rathi opened 1 year ago

neeta-rathi commented 1 year ago

Describe the feature

We use AppRole based authentication to manage secrets within Vault. More info on AppRole can be found here.

DAPR's secretstores.hashicorp.vault Component uses Token based authentication. Here are the key/values on the Component that requires to provide the token

  - name: vaultTokenMountPath # Required if vaultToken not provided. Path to token file.
    value : "[path_to_file_containing_token]"
  - name: vaultToken # Required if vaultTokenMountPath not provided. Token value.
    value : "[path_to_file_containing_token]"

The apps don't have access to the token, however they are designed to access Vault with AppRole authentication. So the ask here is to support AppRole based authentication from DAPR's Component when spec.type=secretstores.hashicorp.vault

Release Note

RELEASE NOTE:

yaron2 commented 1 year ago

@neeta-rathi there are several ways to provide an app (Dapr in this case) with the SecretID as mentioned in the link above.

One thing we can easily do is allow users to supply the SecretID to Dapr via the component secret ref, which means that on Kubernetes, there will be a k8s secret (in the example below, named secretID) that holds the SecretID value and provided to Dapr like this:

- name: secretID
    secretKeyRef:
      name: secretID
      key:  secretID

I'm interested to know based on your organizational policy if this would be considered secure enough, and if not, how do you plan on distributing the SecretID to apps?

dapr-bot commented 1 year ago

This issue has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in the next 7 days unless it is tagged (pinned, good first issue, help wanted or triaged/resolved) or other activity occurs. Thank you for your contributions.

dapr-bot commented 1 year ago

This issue has been automatically closed because it has not had activity in the last 37 days. If this issue is still valid, please ping a maintainer and ask them to label it as pinned, good first issue, help wanted or triaged/resolved. Thank you for your contributions.

infine8 commented 1 year ago

I believe there should be two fields: roleId and secretId. Do you think is only secretId enough ? btw, when are you going to release this feature? i really need it. can you add this to prerelease ?

deivanaiarunagiri commented 1 year ago

Is there any update on the approle/secretid authentication with vault from dapr ?

Kreestyan commented 9 months ago

Any one, is looking into this? There would be great value in delivering AppRole based authentication from DAPR's Component when spec.type=secretstores.hashicorp.vault. Pure token-based authentication, authentication tokens are not replicated between vault clusters. This is a hashicorp vault limitation. This means our vault is limited to one cluster and exposes us to resiliency issues.