search

genesis-community / concourse-genesis-kit

A Genesis Kit for Concourse CI/CD
MIT License
6 stars 13 forks source link

Exodus Path for AppRole #64

Closed 7hunderbird closed 3 years ago

7hunderbird commented 3 years ago

Today I was examining the vault policy created by the setup-approle addon.

And saw this policy:

$ safe vault policy read genesis-pipelines
# Allow the pipelines to read all items within Vault, and write to secret/exodus (for genesis exodus data)

path "/secret/*" {
  capabilities = ["read", "list"]
}

path "/secret/*" {
  capabilities = ["create", "read", "update", "list", "delete"]
}

Is the second path meant to be /secret/exodus/* instead?

It may be a combo of how the path for secrets_mount gets set in genesis.

And how the matching_mount function affects the exo_mnt value in the addon script.

For now, the security impact is that the app-role can write to anything in Vault, instead of only in the exodus path.

7hunderbird commented 3 years ago

Thanks @dennisjbell for the update. 👍

dennisjbell commented 3 years ago

Fixed in v3.21.3