search

jfrog / vault-plugin-secrets-artifactory

HashiCorp Vault Secrets Plugin for Artifactory
https://jfrog.com
Apache License 2.0
39 stars 20 forks source link

Allow for scoped down group access tokens #147

Closed kkronenb closed 6 months ago

kkronenb commented 7 months ago

This enhancement will allow the plugin to create an access token of targeted scope and allows Vault to act as an Artifactory access token vending machine. This is desirable because it decouples the configuration the Artifactory Role configuration in Vault from the Artifactory Group/Repo configuration.

vault write artifactory/roles/ci scope="applied-permissions/groups:admin" default_ttl=1h max_ttl=3h

vault read artifactory/token/ci scope=applied-permissions/groups:test-group

The Vault policy looks like the following

path "artifactory/token/ci" {
  capabilities = ["read"],
  required_parameters = ["scope"],
  allowed_parameters = {
    "scope" = ["applied-permissions/groups:test-group"]
  }
  denied_parameters = {
    "scope" = ["applied-permissions/groups:admin"]
  }
}
github-actions[bot] commented 7 months ago

CLA Assistant Lite bot All contributors have signed the CLA ✍️ ✅

kkronenb commented 7 months ago

I have read the CLA Document and I hereby sign the CLA

kkronenb commented 7 months ago

recheck

alexhung commented 7 months ago

@kkronenb You're good to go with CLA. The checker doesn't work consistently 🤷🏼‍♂️

alexhung commented 7 months ago

@TJM You may be interested in reviewing this too.

TJM commented 7 months ago

I agree that this creates a very significant security issue unless you have vault policies that are restricting the scope attribute's value. I would recommend heavy warnings, as you mention, and even vault_policy examples for how to restrict access to certain groups. It honestly looks to me like you are just moving the onus for which pipeline has access to which artifactory tokens to the vault policy layer. Perhaps you are doing some magic there (if I recall). Please post a working example policy so we can put it into the "acceptance" testing, and readme.

kkronenb commented 7 months ago

has access to which artifactory tokens to the vault policy layer.

Correct, each Artifactory role in Vault will need a policy to allow access to it in either scenario. For scoped tokens, the Vault policy will should have additional constraints as mentioned in the README.

TJM commented 7 months ago

has access to which artifactory tokens to the vault policy layer.

Correct, each Artifactory role in Vault will need a policy to allow access to it in either scenario. For scoped tokens, the Vault policy will should have additional constraints as mentioned in the README.

I was honestly hoping there was some sort of policy magic that you could restrict the group name to only groups that the logged in token was a member of. Maybe that is asking too much from vault? ;)