search

opentelekomcloud / vault-plugin-secrets-openstack

Create OpenStack tokens using HashiCorp Vault
Apache License 2.0
23 stars 6 forks source link

Get encrypted `root` password #122

Closed lego963 closed 1 year ago

lego963 commented 1 year ago

Description

Currently if pwd is rotated we won't see new password. When creating root_cloud, specify the public key so that you can get it encrypted later.

lego963 commented 1 year ago

@gtema what do you think?

gtema commented 1 year ago

how do you want to use public_key? In general it is a security feature not to ever leak root password out of vault and I would not try to add it somehow

lego963 commented 1 year ago

Only vault knowns password after rotate

  1. Create cloud with public key request 
    payload.json
{
...
"public_key_path": "/home/admin/vault" #or content
}
    $ curl \
--header "X-Vault-Token: ..." \
--request POST \
--data @payload.json \
http://127.0.0.1:8200/v1/openstack/clouds/example-cloud
  2. Rotate password
  3. Get root password request 
    $ curl \
--header "X-Vault-Token: ..." \
--request GET \
http://127.0.0.1:8200/v1/openstack/pwd/example-cloud

    response

    {
"password": <encrypted with public key>
}

With policy we can restrict access to this path