This is a standalone backend plugin for use with Hashicorp Vault.
This plugin allows authentication to Vault using user’s personal token of Huawei Cloud.
Getting Started
This is a Vault plugin
and is meant to work with Vault. This guide assumes you have already installed Vault
and have a basic understanding of how Vault works.
To learn specifically about how plugins work, see documentation on Vault plugins.
Security Model
This authentication model places Vault in the middle of a call between a client and Huawei Cloud’s api. Based on its response, it grants an access token based on pre-configured roles.
Auth Flow
The basic mechanism of operation is per-role.
Roles are associated with a Huawei Cloud account and user. When logining to Vault, it matches the account and user name retrived from token with that of a pre-created role in Vault. It then checks what policies have been associated with the role, and grants a token accordingly.
Usage
This guide assumes some familiarity with Vault and Vault’s plugin
ecosystem. You must have a Vault server already running, unsealed, and
authenticated.
Download and decompress the latest plugin binary from the Releases tab on
GitHub. Alternatively you can compile the plugin from source, if you’re into
that kind a thing.
Move the compiled plugin into Vault’s configured plugin_directory.
Calculate the SHA256 of the plugin and register it in Vault’s plugin catalog.
If you are downloading the pre-compiled binary, it is highly recommended that
you use the published checksums to verify integrity.
token_ttl(integer: 0 or string: "") - The incremental lifetime for
generated tokens. This current value of this will be referenced at renewal
time.
token_max_ttl(integer: 0 or string: "") - The maximum lifetime for
generated tokens. This current value of this will be referenced at renewal
time.
token_policies(array: [] or comma-delimited string: "") - List of
policies to encode onto generated tokens. Depending on the auth method, this
list may be supplemented by user/group/other values.
token_bound_cidrs(array: [] or comma-delimited string: "") - List of
CIDR blocks; if set, specifies blocks of IP addresses which can authenticate
successfully, and ties the resulting token to these blocks as well.
token_explicit_max_ttl(integer: 0 or string: "") - If set, will encode
an explicit max TTL
onto the token. This is a hard cap even if token_ttl and token_max_ttl
would otherwise allow a renewal.
token_no_default_policy(bool: false) - If set, the default policy will
not be set on generated tokens; otherwise it will be added to the policies set
in token_policies.
token_num_uses(integer: 0) - The maximum number of times a generated
token may be used (within its lifetime); 0 means unlimited.
token_period(integer: 0 or string: "") - The
period,
if any, to set on the token.
token_type(string: "") - The type of token that should be generated. Can
be service, batch, or default to use the mount’s tuned default (which
unless changed will be service tokens). For token store roles, there are two
additional possibilities: default-service and default-batch which specify
the type to return unless the client requests a different type at generation
time.
Login to Vault.
# It recommends saving token to a file(./token.txt), because token's length is very long.
$ token=$(cat ./token.txt); vault write auth/auth-hw/login role=dev-role token=$token
The response will be a standard auth response with some token metadata:
Vault Plugin: HuaweiCloud Auth Backend
This is a standalone backend plugin for use with Hashicorp Vault. This plugin allows authentication to Vault using user’s personal token of Huawei Cloud.
Getting Started
This is a Vault plugin and is meant to work with Vault. This guide assumes you have already installed Vault and have a basic understanding of how Vault works.
Otherwise, first read this guide on how to get started with Vault.
To learn specifically about how plugins work, see documentation on Vault plugins.
Security Model
This authentication model places Vault in the middle of a call between a client and Huawei Cloud’s api. Based on its response, it grants an access token based on pre-configured roles.
Auth Flow
The basic mechanism of operation is per-role.
Roles are associated with a Huawei Cloud account and user. When logining to Vault, it matches the account and user name retrived from token with that of a pre-created role in Vault. It then checks what policies have been associated with the role, and grants a token accordingly.
Usage
This guide assumes some familiarity with Vault and Vault’s plugin ecosystem. You must have a Vault server already running, unsealed, and authenticated.
Download and decompress the latest plugin binary from the Releases tab on GitHub. Alternatively you can compile the plugin from source, if you’re into that kind a thing.
Move the compiled plugin into Vault’s configured
plugin_directory.Calculate the SHA256 of the plugin and register it in Vault’s plugin catalog. If you are downloading the pre-compiled binary, it is highly recommended that you use the published checksums to verify integrity.
Mount the auth method.
Create role.
role(string: <required>)- Name of the role.account(string)- Name of Huawei Cloud account.user(string)- Name of Huawei Cloud user.token_ttl(integer: 0 or string: "")- The incremental lifetime for generated tokens. This current value of this will be referenced at renewal time.token_max_ttl(integer: 0 or string: "")- The maximum lifetime for generated tokens. This current value of this will be referenced at renewal time.token_policies(array: [] or comma-delimited string: "")- List of policies to encode onto generated tokens. Depending on the auth method, this list may be supplemented by user/group/other values.token_bound_cidrs(array: [] or comma-delimited string: "")- List of CIDR blocks; if set, specifies blocks of IP addresses which can authenticate successfully, and ties the resulting token to these blocks as well.token_explicit_max_ttl(integer: 0 or string: "")- If set, will encode an explicit max TTL onto the token. This is a hard cap even iftoken_ttlandtoken_max_ttlwould otherwise allow a renewal.token_no_default_policy(bool: false)- If set, thedefaultpolicy will not be set on generated tokens; otherwise it will be added to the policies set intoken_policies.token_num_uses(integer: 0)- The maximum number of times a generated token may be used (within its lifetime); 0 means unlimited.token_period(integer: 0 or string: "")- The period, if any, to set on the token.token_type(string: "")- The type of token that should be generated. Can beservice,batch, ordefaultto use the mount’s tuned default (which unless changed will beservicetokens). For token store roles, there are two additional possibilities:default-serviceanddefault-batchwhich specify the type to return unless the client requests a different type at generation time.Login to Vault.
The response will be a standard auth response with some token metadata: