heatherezell
commented
2 years ago Thanks for this, and for linking the existing issue, too. I'll get some eyes on it. :)
Open grahamc opened 2 years ago
heatherezell
commented
2 years ago Thanks for this, and for linking the existing issue, too. I'll get some eyes on it. :)
aram535
commented
1 year ago Adding a subscriber to this. The owner/group/perms of the sink file should be settable.
ch0wm3in
commented
1 year ago Agree, having huge issues with this.
jplindquist
commented
4 weeks ago I was following along with this, and see there are options for owner and group now in 1.18 from https://github.com/hashicorp/vault/pull/27123, but I am curious if it's possible to do this without UID or GID in cases where we'd need the sink file owned by a user/group that don't have static IDs, or are managed by other package installations
Example:
The jenkins package has a preinstall to create the jenkins user and group, but a uid/gid is not specified, it's provided by the system, and therefore isn't necessarily the same across all systems
rpm -q jenkins --scripts
preinstall scriptlet (using /bin/sh):
/usr/bin/getent group jenkins &>/dev/null || /usr/sbin/groupadd -r jenkins &>/dev/null
# SUSE version had -o here, but in Fedora -o isn't allowed without -u
/usr/bin/getent passwd jenkins &>/dev/null || /usr/sbin/useradd -g jenkins -s /bin/false -r -c "Jenkins Automation Server" \
-d "/var/lib/jenkins" jenkins &>/dev/null
Is your feature request related to a problem? Please describe.
Given a config like this:
Note the 256 is to work around #9404.
The
/run/keys/my-tokenfile is deleted and recreated with the owner / group running the Vault agent. This is different from the templating support, which will preserve the owner and group of the existing file.Describe the solution you'd like
I would like to specify the owner and group of the sink file, or, have the sink preserve the ownership.
Describe alternatives you've considered
Running
vault loginin a loop to create the file instead.