Closed kkronenb closed 6 months ago
CLA Assistant Lite bot All contributors have signed the CLA ✍️ ✅
I have read the CLA Document and I hereby sign the CLA
recheck
@kkronenb You're good to go with CLA. The checker doesn't work consistently 🤷🏼♂️
@TJM You may be interested in reviewing this too.
I agree that this creates a very significant security issue unless you have vault policies that are restricting the scope attribute's value. I would recommend heavy warnings, as you mention, and even vault_policy examples for how to restrict access to certain groups. It honestly looks to me like you are just moving the onus for which pipeline has access to which artifactory tokens to the vault policy layer. Perhaps you are doing some magic there (if I recall). Please post a working example policy so we can put it into the "acceptance" testing, and readme.
has access to which artifactory tokens to the vault policy layer.
Correct, each Artifactory role in Vault will need a policy to allow access to it in either scenario. For scoped tokens, the Vault policy will should have additional constraints as mentioned in the README.
has access to which artifactory tokens to the vault policy layer.
Correct, each Artifactory role in Vault will need a policy to allow access to it in either scenario. For scoped tokens, the Vault policy will should have additional constraints as mentioned in the README.
I was honestly hoping there was some sort of policy magic that you could restrict the group name to only groups that the logged in token was a member of. Maybe that is asking too much from vault? ;)
This enhancement will allow the plugin to create an access token of targeted scope and allows Vault to act as an Artifactory access token vending machine. This is desirable because it decouples the configuration the Artifactory Role configuration in Vault from the Artifactory Group/Repo configuration.
vault write artifactory/roles/ci scope="applied-permissions/groups:admin" default_ttl=1h max_ttl=3h
vault read artifactory/token/ci scope=applied-permissions/groups:test-group
The Vault policy looks like the following