-
Notifications
You must be signed in to change notification settings - Fork 500
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for updated Hashicorp HCP CLI to continue accessing Vault Secrets #4146
Comments
Some additional information about the new HCP CLI and interacting with the Hashicorp Vault Secrets service:
then it is sufficient to run: export HCP_CLIENT_ID=xxxxxxxxx HCP_CLIENT_SECRET=xxxxxxxxx
hcp vault-secrets secrets list --app chezmoi
hcp vault-secrets secrets open superSecret --app chezmoi whereas previously with the export HCP_CLIENT_ID=xxxxxxxxx HCP_CLIENT_SECRET=xxxxxxxxx
vlt secrets list --organization <organization UUID> --project <project UUID> --app-name chezmoi
vlt secrets get --organization <organization UUID> --project <project UUID> --app-name chezmoi superSecret |
Based on what you have written, the ability to skip I don't use Hashicorp Cloud products regularly, and while I did some testing of this the first time around, it was after the initial implementation was completed. We can make this change (it would be contingent on the presence of |
Could you explain please why organizationId and projectId are still required to implement this? Perhaps these become optional instead of mandatory values so that users still with vlt can provide them in their config, and users of the new hcp CLI need only provide |
And if this is any further help, the Further, there is no longer a .vlt.json file to store cached creds with
These are all populated automatically in the condition that you have the Service Principal environment vars set and provide the |
I can't answer this, because I’ve used Hashicorp Vault Secrets once, eighteen months ago, when this was first developed for chezmoi. However, chezmoi passes the provided items (secret name, app name, project id, and org id) as command-line parameters. If the parameters are substantially different, we need to create new template functions because the old functions will no longer work. If the expected items will also work with the new command line without breaking, then we can bodge the old functions to work the same. Chezmoi does not explicitly disable configuration lookup for |
Yes, I would think substantially different as demonstrated in the examples of |
TL;DRThe It cannot accept an organization id on the command-line and requires that the credentials be for a service entity or that you set up organization and project prior to use and specify a profile … I think. It's substantially more complex and is feels built for Hashicorp's overpaying enterprise customers, not for home lab use. The DX is atrocious and I can't really see how chezmoi is going to be able to properly work with this because it is both less programmatically usable and there are three distinct type of secrets (two of which cannot be tested with anything less than a "plus" account). Implementation NotesThis should help someone who actually wants to implement this do so. I have no interest in implementing this after having spent the last couple of hours looking into it (sorry @arrrgi; it's that bad). The Bad NewsIt's pretty much all bad news and the documentation is uncharacteristically atrocious for Hashicorp (I’m used to Terraform documentation and found the
The returned data format is dynamic based on the underlying type of the secret, and there are no examples anywhere for what they might look like. The Swagger API definition does not help (the raw JSON doesn't match what's on the website, and what's on the docs website looks closer to the only output that I can get). Here's an example: {
"created_at": "2023-06-28T01:55:18.686Z",
"created_by_id": "<uuid>",
"latest_version": 2,
"name": "test_secret",
"static_version": {
"created_at": "2023-06-28T01:56:11.053Z",
"created_by_id": "<uuid>",
"value": "real-test-value",
"version": 2
},
"type": "kv"
} The value, however, appears to be polymorphic (see name: string # The name of the secret
type: string
latest_version: integer
created_at: string
created_by_id: string
sync_status: # optional?
status: string
updated_at: date-time
last_error_code: string
static_version?:
version: integer
value: string
created_at: string
created_by_id: string
rotating_version: # optional
version: integer
values: object
created_by_id: string
created_at: string
expires_at: string
revoked_at: string
keys: string[]
dynamic_version: # optional
values: object
created_at: string
expires_at: string
ttl: string Because of the complexity of setup and the highly dynamic response possible with this, I don't think that this is a particularly good development investment and would not be recommending it to any developer that I know even if chezmoi did support it. (I feel the same way about the 1Password SDK because it only works with service principal equivalents.) That said, if we do support it, we should put constraints:
Regardless of anything else, the existing CLI has a limited shelf life. They are no longer updating it, and it is not clear if or when it will stop working. We should deprecate the existing template functions as they will fail at some point in the future. |
Thanks @halostatue , great write up on what you found. My own use case is to store static credentials/SSH keys, etc, and I do so with a Service Principal so that I don't need to have HCP CLI manually installed first and authenticated via OAuth before I init/apply my dotfiles. This was one of the reasons the hooks functionality was created so that my dotfiles could just be applied without further intervention than supplying See arrrgi/dotfiles for my current implementation using Service Principal and pre-install hook with vlt HCP CLI simplifies this in invocation when using a Service Principal, and I would hope that this is the predominant use case for Chezmoi users consuming the existing hcpVaultSecret function as it removes the need for OAuth and browser combination --> hello Devcontainers/Codespaces users!! Opinion: I don't imagine that rotating and dynamics secrets would be a common use case for Chezmoi users, that said, Hashicorp does provide free credit to test said secret types output if that is to be explored. |
In the short term, you can make this work by ensuring that you have In my opinion, there is no meaningful way to use the existing functions.
Coming up with a new name will be a pain, but the best choice is probably I appreciate what you’re using this for, but Hashicorp seems to want its paying customers to use this through other integration mechanisms and the There are other tools which provide 'service principal' approaches (AWS Secrets Manager, AWS SSM ParameterStore, 1Password) which could probably be used more reliably than what Hashicorp is providing here (and Chezmoi supports 1Password's approach somewhat natively with the SDK function), but as I don't use codespaces, I honestly don't have a reason to try them out with chezmoi. I'm aware of Hashicorp's free credit, but there is also the matter of the time it would take to develop this feature. I am happy to support chezmoi users with my free time, but I’m less inclined to support Hashicorp after the licensing debacle last year. Had Hashicorp bothered to make the command-lines even remotely compatible, I would not have minded modifying chezmoi's approach. As it is, it involves a time investment that I have already overdrawn. I’m not sure of anyone else's time commitments, but I don't see a reason that chezmoi shouldn't support this, but I won't be able to really even provide testing support with this change. @twpayne other contributors may feel differently. |
Let's say that I do use this for now, how would I access the [GDrive]
type = drive
client_secret = {{ (output "hcp" "vs" "s" "open" "--format" "json" "--app" $app_name $secret_name | fromJson).static_version.value }} Alternatively, I would happily consider switching to the |
Yes, exactly.
The 1Password SDK functions were added at the request of a Project Manager at 1Password, but I don't think anyone actually uses any of them yet (at least, searches for If you want cross-platform secrets with no external dependencies, consider using Medium-term, I'd like to add support for the new |
I have just tested and already received an error message. chezmoi: .config/git/user: template: dot_config/exact_git/user.tmpl:5:18: executing "dot_config/exact_git/user.tmpl" at <onepasswordSDKSecretsResolve "op://Secrets/Personal SSH Signing Key/public key">: error calling onepasswordSDKSecretsResolve: error resolving secret reference: the specified field cannot be found within the item Doing some digging, it seems the SDK is still pretty young and not all types of records can be retrieved yet with a number of record/field types not yet supported. Off-topic yes, but worthy of reporting given your mention that nobody else seems to be using this functionality yet. Thanks for considering adding support, it's inelegant as @halostatue points out, but much simpler to setup than AWS/Azure for those of us with simpler needs. |
Is your feature request related to a problem? Please describe.
The
vlt
CLI tool for interacting with HCP Vault Secrets has ended support as of September 2024. Whilst the CLI tool still functions, Hashicorp have advised users to migrate to HCP CLI, with this new package generally available for Linux, MacOS and Windows from https://developer.hashicorp.com/hcp/docs/vault-secrets/get-started/install-hcp-cliThe
vlt
CLI tool should be considered as deprecated now.Describe the solution you'd like
Please add support for the HCP CLI, preferably using the existing
hcpVaultSecrets
variables so that users can migrate to the new CLI with less refactoring of their existing configs.Describe alternatives you've considered
vlt
continues to function but no further updates, especially security critical updates will be provided.Additional context
The text was updated successfully, but these errors were encountered: