search

hashicorp / packer-plugin-amazon

Packer plugin for Amazon AMI Builder
https://www.packer.io/docs/builders/amazon
Mozilla Public License 2.0
75 stars 112 forks source link

Unable to leverage `vault_aws_engine` with HashiCorp Vault Enterprise - No authentication #402

Open brlara-mt opened 1 year ago

brlara-mt commented 1 year ago

Overview of the Issue

When attempting to use the vault_aws_engine functionality, I continuously receive a 403 response from HashiCorp Vault. We are attempting to reduce secrets sprawl in our build environment while trying to deploy a different HashiCorp product on AWS. However, when we attempt to use the EC2 builder with EBS we are unable to get past the pre-flight validation check with credentials. It's important to note that we are using HashiCorp Vault Enterprise, and the secret we are attempting to receive resides in a namespace that is a multi-level child of the root namespace.

Reproduction Steps

Steps to reproduce this issue

  1. Create the following Packer HCL configuration and export the following environment variables:
    Environment Variables 

export VAULT_ADDR="https://my.vault.cluster:8200"
export VAULT_NAMESPACE="my/namespace"
export VAULT_TOKEN="validToken"

Packer Config

```hcl source "amazon-ebs" "basic-example" { region = "us-gov-east-1" instance_type = "t2.micro" ssh_username = "rhel" ami_name = "packer_AWS {{timestamp}}" vault_aws_engine { name = “myrole" engine_name = “my/namespace/my/engine” ttl = "3600s" } source_ami_filter { filters = { virtualization-type = "hvm" name = "RHEL-8*-x86_64-*" root-device-type = "ebs" } owners = ["309956199498"] most_recent = true } vpc_id = subnet_id = } build { sources = [ "source.amazon-ebs.basic-example" ] } ```

  1. Execute a packer build with the configuration file:
Output

```bash packer build mybuild.pkr.hcl Error: 1 error(s) occurred: * Error reading vault secret: Error making API request. URL: GET https://my.vault.cluster:8200/v1/my/namespace/my/engine/creds/myrole Code: 403. Errors: * 1 error occurred: * permission denied on mybuild.pkr.hcl line 8: (source code not available) ```

Plugin and Packer version

From packer version

Packer v1.8.6

brlara-mt commented 1 year ago

I've come across this function,GetCredsFromVault(), which seems to ignore the VAULT_TOKEN and VAULT_ADDR environment variables in favor of using the DefaultConfig struct from the Vault API library. Is this anticipated to resolve the Vault token for us?

See the following code block:

...
func (c *AccessConfig) GetCredsFromVault() error {
    // const EnvVaultAddress = "VAULT_ADDR"
    // const EnvVaultToken = "VAULT_TOKEN"
    vaultConfig := vaultapi.DefaultConfig()
    cli, err := vaultapi.NewClient(vaultConfig)
    if err != nil {
        return fmt.Errorf("Error getting Vault client: %s", err)
    }
    if c.VaultAWSEngine.EngineName == "" {
        c.VaultAWSEngine.EngineName = "aws"
    }

    secret, err := c.getCredsFromVault(cli)
...