avishnyakov
commented
3 years ago Happy to give this a go. @dwizzle204, evaluating the exact same SAS-approach for broader services - storage, cosmos, event hub and others.
That said, found that existing documentation for plugin development does not give much clarity. Started investigation from this ticket
- https://github.com/hashicorp/vault/issues/6822 by @hasheddan (top work, thank you a lot!)
More info on secrets plugin development:
- vault-guides are rather basic
- the above mock secrets codebase is done mostly by @hasheddan (in https://github.com/hasheddan/vault-plugin-secrets-covert)
- reviewing existing plugins might help a lot, but this is more of a reverse engineering
- looking into plugins written by others also very helpful
- vault-plugin-secrets-azure is helpful, gives an idea on azure sdk usage
- db based plugins also helpful, not sure if they could be re-purposed for this work, probably not (just to not start from scratch)
- https://github.com/petems/vault-plugin-database-mockdb
- number of other examples are out there, need to review codebase and pick a good one
- great write up on auth plugin: Development of auth plugin for HashiCorp Vault Enterprise
- more investigation is needed for sure
@yhyakuna, I see you helped a lot in https://github.com/hashicorp/vault/issues/6822. Could you please help again and advise on more reference / documentation regarding secrets plugins one more time?
yhyakuna
Shaybs
Chili-Man
Is your feature request related to a problem? Please describe. Need a better way to manage SAS tokens
Describe the solution you'd like Similar to spn secrets we would have a real use for dynamically created sas tokens based on vault roles.
https://docs.microsoft.com/en-us/rest/api/eventhub/generate-sas-token
https://github.com/Azure/azure-sdk-for-go/blob/master/storage/blobsasuri.go
Explain any additional use-cases We have some applications that prefer the SAS token over a SPN this would help us better secure and manage these cases