search

liuliancao / liuliancao-blog-comment

github repo for utterances
0 stars 0 forks source link

roams/2022-12-12-vault/ #3

Open utterances-bot opened 10 months ago

utterances-bot commented 10 months ago

Vault | Appreciate life and record it

Vault vault详细使用 介绍 Intro Vault是Hashicorp公司开源的一个密码管理仓库软……

https://blog.liuliancao.com/roams/2022-12-12-vault/

zhulianmei commented 10 months ago

大佬,我想问个问题啊, 1,我把阿里云的ram角色的最大时间设置成了2小时 2,vault侧执行了,两条命令如下:```vault secrets tune -default-lease-ttl=2h alicloud/ vault secrets tune -max-lease-ttl=24h alicloud/

结果如下:```
Local   No
Seal wrap   No
Default Lease TTL   7200
Max Lease TTL   86400

3,通过命令vault read alicloud/creds/appname 返回的信息还是1个小时,返回信息如下``` Key Value

lease_id alicloud/creds/appname/xxxxx lease_duration 59m59s lease_renewable false ```

我是哪里配错了么,没办法加大这个时间

liuliancao commented 10 months ago

要不web控制台去看看实际的default ttl 另外tune的时候 看看是不是应该 vault secrets tune -default-lease-ttl=2h alicloud/config vault secrets tune -max-lease-ttl=24h alicloud/config

zhulianmei commented 10 months ago

web控制台上面显示的是

Secret engine type.  alicloud
Path.     alicloud/
Description
Accessor.    alicloud_15b14
Local. No
Seal wrap.  No
Default Lease TTL.   7200
Max Lease TTL.    86400
Request keys excluded from HMACing in audit
Response keys excluded from HMACing in audit
Allowed passthrough request headers

然后我调了alicloud/config 还是这样

(venv) MacBook-Pro:aliscript wangchao$ vault secrets tune -max-lease-ttl=24h alicloud/config
Success! Tuned the secrets engine at: alicloud/config/
(venv) MacBook-Pro:aliscript wangchao$ vault secrets tune -default-lease-ttl=2h alicloud/config
Success! Tuned the secrets engine at: alicloud/config/
(venv) MacBook-Pro:aliscript wangchao$ vault read alicloud/creds/appname
Key                Value
---                -----
lease_id           alicloud/creds/adlink/xxx
lease_duration     1h
lease_renewable    false
access_key         STS.NUNxxxx
liuliancao commented 10 months ago

那检查下你创建app role的ttl看下 vault write auth/approle/role/awx-api policies="awx-read" token_ttl=10m token_max_ttl=30m 类似这样的 把ttl改成你要的

zhulianmei commented 10 months ago

还是不行

(venv) MacBook-Pro:aliscript wangchao$ vault read auth/approle/role/adlin
Key                        Value
---                        -----
bind_secret_id             true
local_secret_ids           false
period                     6h
policies                   [adlin adlin_devcommon]
secret_id_bound_cidrs      <nil>
secret_id_num_uses         0
secret_id_ttl              0s
token_bound_cidrs          []
token_explicit_max_ttl     0s
token_max_ttl              0s
token_no_default_policy    false
token_num_uses             0
token_period               6h
token_policies             [adlin adlin_devcommon]
token_ttl                  0s
token_type                 default
(venv) MacBook-Pro:aliscript wangchao$ vault write  auth/approle/role/adlin token_ttl=2h token_max_ttl=24h
Success! Data written to: auth/approle/role/adlin
(venv) MacBook-Pro:aliscript wangchao$ vault read auth/approle/role/adlin
Key                        Value
---                        -----
bind_secret_id             true
local_secret_ids           false
period                     6h
policies                   [adlin adlin_devcommon]
secret_id_bound_cidrs      <nil>
secret_id_num_uses         0
secret_id_ttl              0s
token_bound_cidrs          []
token_explicit_max_ttl     0s
token_max_ttl              24h
token_no_default_policy    false
token_num_uses             0
token_period               6h
token_policies             [adlin adlin_devcommon]
token_ttl                  2h
token_type                 default
(venv) MacBook-Pro:aliscript wangchao$ vault read alicloud/creds/adlin
Key                Value
---                -----
lease_id           alicloud/creds/adlin/xxx
lease_duration     1h
lease_renewable    false
access_key         STS.xxx
expiration         2023-12-11T02:39:37Z
liuliancao commented 10 months ago

我看还有一个区别是你这个是STS方式,你要不要先试试AK方式的 STS最大支持3600s https://help.aliyun.com/zh/ram/support/faq-about-ram-roles-and-sts-tokens/ [root@puppetmaster ~]# vault read alicloud-publiccloud/creds/policy-lqx Key Value

lease_id alicloud-publiccloud/creds/policy-lqx/123 lease_duration 10m lease_renewable true access_key 123 secret_key 456 [root@puppetmaster ~]# vault lease lookup alicloud-publiccloud/creds/policy-lqx/123 Key Value

expire_time 2023-12-11T10:10:15.12768064+08:00 id alicloud-publiccloud/creds/policy-lqx/123 issue_time 2023-12-11T10:00:15.127680371+08:00 last_renewal renewable true ttl 4m54s

zhulianmei commented 10 months ago

我直接调用接口的时候是可以指定时间比如2小时过期,阿里云接口文档:https://help.aliyun.com/zh/ram/developer-reference/api-sts-2015-04-01-assumerole?spm=a2c4g.11186623.0.i3#main-107864。但是通过vault的的方式就是无法把这个时间变成除了1h以外的值

liuliancao commented 10 months ago

对的 我看了下代码https://github.com/hashicorp/vault-plugin-secrets-alicloud/blob/main/path_roles.go 的201行看出来他们不支持ttl参数 当使用的时候 我觉得sts搞成2h不如用agent让他自己过1h生成一下好了,还有一个办法你改下源码,https://github.com/hashicorp/vault-plugin-secrets-alicloud/blob/main/path_creds.go 71行的地方看看 这里是默认调用的 所以是1h

zhulianmei commented 10 months ago

我看了下71行的代码,是不是这个意思:vault调用阿里云接口的生成ststoken的时候就没有传ttl过去,所以阿里云接口默认1h,就是1小时那返回的就是1h。 本来想防止出现问题(阿里云这次aksk故障)留足够的时间来恢复。 改源码还是有点困难的。哭脸。。。

liuliancao commented 10 months ago

那你就别用sts呗 用ak sk方式 主要在于形成有效的滚动方式

zhulianmei commented 10 months ago

谢谢大神,源码说搂就搂。

liuliancao commented 10 months ago

平时多积累下 这个代码还好吧 ..