louis-gounot
commented
8 years ago I think it can also be a transit backend addition. But transit is a Secret backend whereas I think my request would be more a kind of Auth backend.
Closed louis-gounot closed 6 years ago
louis-gounot
commented
8 years ago I think it can also be a transit backend addition. But transit is a Secret backend whereas I think my request would be more a kind of Auth backend.
ejfinneran
commented
8 years ago @louis-gounot I actually already wrote this backend and it works great. I'll try to get it into a public branch soon.
If there is interest in making it part of stock Vault, I can open a pull request as well.
louis-gounot
commented
8 years ago @ejfinneran Would be great if you can publish your code.
Regarding pull request, I think it is more up to vault managers to tell about.
ejfinneran
commented
8 years ago @louis-gounot Here are the changes I have.
https://github.com/hashicorp/vault/compare/master...cloudability:aws-signature
This was written against Vault 0.2.0 so it probably needs to be updated if you want to patch the latest version of Vault.
I don't really have docs written but basically this is how it works:
$ vault mount awssignature
Successfully mounted 'awssignature' at 'awssignature'!
$ vault write awssignature/foo secret_access_key=itsasecret
Success! Data written to: awssignature/foo
$ vault read awssignature/foo/20151031/ec2/us-east-1
Key Value
signature mMV1Htpuz7xN/AfAgT8/oZMG5lVzxVbbS72EriC9dF0=The endpoint returns a base64 encoded signing key.
jefferai
commented
6 years ago We have no current plans for a built-in backend to do this, but with our plugin capabilities this can now be easily created by an interested third-party!
Hello,
Would it be possible to have an AWS signature V4 Auth backend. Signature algorithm documentation : [http://docs.aws.amazon.com/general/latest/gr/signature-version-4.html]
Let's imagine I want to build an AWS IAM compatible service (that is a service offering similar features and using the same signature algorithm for code reuse purposes). In such case, I need to be able to store credentials (access key/secret tuples) in vault. If I want to use Vault to securely store the secret part, currently I can't keep it inside Vault cause I need it to derive the signing key.
Having an AWS Signature V4 auth backend would allow to keep the secret part secured inside vault and to be able to verify the signature (requesting signature check on access key by providing signature to check, service, region and text to sign).