哈希科普金库政策失败-我在这里漏掉了什么?
哈希科普金库政策失败-我在这里漏掉了什么?
提问于 2022-10-27 19:55:07
我试图使用gitlab和hashicorp金库通过jwt auth为ci工作提供秘密。除了政策外,我似乎什么都有用。
因此,我首先启用了jwt auth方法:
vault auth enable jwt然后制定了一项相关政策:
vault policy write k8s-gcp-env - <<EOF
path "gitlab/k8s-gcp-env/*" {
capabilities = [ "read", "list" ]
}
EOF以及一个角色:
vault write auth/jwt/role/k8s-gcp-env - <<EOF
{
"role_type": "jwt",
"policies": ["k8s-gcp-env"],
"token_explicit_max_ttl": 60,
"bound_claims_type": "glob",
"bound_claims": {
"project_id": "28"
}
}
EOF然后配置jwt方法(使用自定义CA):
vault write auth/jwt/config \
jwks_url="https://git.__REDACTED__/-/jwks" \
bound_issuer="git.__REDACTED__" \
jwks_ca_pem=@/Users/user/Downloads/c81a8bd1f9cf6d84c525f378ca1d3f8c30770e34.cer这一切都很好,但我的管道无法读出秘密:
$ export VAULT_ADDR=https://vault.__REDACTED__
$ export VAULT_TOKEN="$(vault write -field=token auth/jwt/login role=$CI_PROJECT_NAME jwt=$CI_JOB_JWT)"
$ echo $VAULT_TOKEN
__REDACTED__
$ vault token lookup
Key Value
--- -----
accessor __REDACTED__
creation_time 1666877529
creation_ttl 1m
display_name __REDACTED__
entity_id 23938616-4ca5-fd51-b607-9a029476ab6d
expire_time 2022-10-27T13:33:09.410411192Z
explicit_max_ttl 1m
id __REDACTED__
issue_time 2022-10-27T13:32:09.410419432Z
meta map[role:k8s-gcp-env]
num_uses 0
orphan true
path auth/jwt/login
policies [default k8s-gcp-env]
renewable true
ttl 59s
type service
$ export SERVICE_ACCOUNT="$(vault kv get -field=service_account gitlab/k8s-gcp-env/gcp)"
Error reading gitlab/data/k8s-gcp-env/gcp: Error making API request.
URL: GET https://vault.__REDACTED__/v1/gitlab/data/k8s-gcp-env/gcp
Code: 403. Errors:
* 1 error occurred:
* permission denied
$ echo $SERVICE_ACCOUNT因此,我决定使用具有相同策略的ad令牌在pipline之外调试它:
❯ vault token create -policy=k8s-gcp-env
Key Value
--- -----
token __REDACTED__
token_accessor __REDACTED__
token_duration 768h
token_renewable true
token_policies ["default" "k8s-gcp-env"]
identity_policies []
policies ["default" "k8s-gcp-env"]
❯ VAULT_TOKEN="__REDACTED__" vault token lookup
Key Value
--- -----
accessor __REDACTED__
creation_time 1666898416
creation_ttl 768h
display_name token
entity_id n/a
expire_time 2022-11-28T19:20:16.462740878Z
explicit_max_ttl 0s
id __REDACTED__
issue_time 2022-10-27T19:20:16.462747868Z
meta <nil>
num_uses 0
orphan false
path auth/token/create
policies [default k8s-gcp-env]
renewable true
ttl 767h58m30s
type service
vault token capabilities __REDACTED__ gitlab/k8s-gcp-env/gcp
list, read(然而,尽管具有这些功能,但这是失败的)
VAULT_TOKEN="__REDACTED__" vault kv get -field=service_account gitlab/k8s-gcp-env/gcp
Error reading gitlab/data/k8s-gcp-env/gcp: Error making API request.
URL: GET https://vault.__REDACTED__/v1/gitlab/data/k8s-gcp-env/gcp
Code: 403. Errors:
* 1 error occurred:
* permission denied秘密路径绝对是正确的,因为当我使用根令牌执行此操作时,它是工作的:
❯ vault kv get -field=service_account gitlab/k8s-gcp-env/gcp
{
"type": "service_account",
"project_id": "__REDACTED__",
"private_key_id": "__REDACTED__",
"private_key": "__REDACTED__",
"client_email": "__REDACTED__",
"client_id": "__REDACTED__",
"auth_uri": "https://accounts.google.com/o/oauth2/auth",
"token_uri": "https://oauth2.googleapis.com/token",
"auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
"client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/__REDACTED__"
}我遗漏了什么?这让我发疯了。
这是我一直在关注的页面:https://docs.gitlab.com/ee/ci/examples/authenticating-with-hashicorp-vault/
回答 1
Stack Overflow用户
发布于 2022-10-27 20:23:42
答案是将策略功能授予gitlab/data/k8s-gcp-env:
vault policy write k8s-gcp-env - <<EOF
path "gitlab/data/k8s-gcp-env/*" {
capabilities = [ "read", "list" ]
}
EOF我不太确定这里的“为什么”,但它有效。
页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://stackoverflow.com/questions/74227620
复制相关文章
相似问题
腾讯云开发者
Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有
深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 
粤公网安备44030502008569号
腾讯云计算(北京)有限责任公司 京ICP证150476号 | 京ICP备11018762号