HMAC / Access permissions integration with Vault

[dvilaamill]

Hello,

The need has arisen to integrate the Plugin for secrets of Hashicorp Vault and the permissions on COS buckets. This is because it is intended to give certain applications write permissions on certain buckets and read on others. The objective is that the delegation of permissions is carried out through Vault that will store the generated ApiKeys and so far we see that this may be possible using Service ID.

However, certain applications use "HMAC credentials" and from what we understand the plugin is not compatible either for the creation of this type of credentials nor for their rotation.

So, we have these questions:

1. Is there a strategy to handle these types of credentials? (creation and rotation)
2. Is it feasible or is it planned to make an update to the plugin to support it?

Thank you and best regards,

Dani

[mhobnp]

Hello, we would also be very interested in using Vault to generate HMAC credentials. Do you know if it's happening on your side?

[smatzek]

Adding support for HMAC keys would probably require a redesign of the existing roles and creds paths or additions of new, parallel paths since HMAC key creation goes through the resource controller and not an IAM API as the rest of the plugin. While it is feasible to do this, the work is not currently planned.

[smatzek]

After further consideration and design, I have designed and implemented support in the secret engine for generating HMAC credentials for a Cloud Object Storage instance. Using this implementation you can create different IAM access groups that grant read, write access, or more granular access to buckets, and then create different secret engine roles that reference the different access groups. In this way you can create secret engine roles that give certain applications write permissions on certain buckets and read on others.

An alpha, pre-release of the secret engine containing this new function is here.

@dvilaamill @mhobnp @inahga @oscarjim89 Feel free to try out this release and let me know of any feedback you have.

[oscarjim89]

Hi @smatzek!
Just to inform you, that we'were testing your functionality and it works really well.

Thanks you!