Giters

hashicorp / packer-plugin-amazon

Packer plugin for Amazon AMI Builder

Home Page:https://www.packer.io/docs/builders/amazon

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Unable to leverage `vault_aws_engine` with HashiCorp Vault Enterprise - No authentication

brlara-mt opened this issue · comments

commented

Overview of the Issue

When attempting to use the vault_aws_engine functionality, I continuously receive a 403 response from HashiCorp Vault. We are attempting to reduce secrets sprawl in our build environment while trying to deploy a different HashiCorp product on AWS. However, when we attempt to use the EC2 builder with EBS we are unable to get past the pre-flight validation check with credentials. It's important to note that we are using HashiCorp Vault Enterprise, and the secret we are attempting to receive resides in a namespace that is a multi-level child of the root namespace.

Reproduction Steps

Steps to reproduce this issue

  1. Create the following Packer HCL configuration and export the following environment variables:
Environment Variables 

export VAULT_ADDR="https://my.vault.cluster:8200"
export VAULT_NAMESPACE="my/namespace"
export VAULT_TOKEN="validToken"

Packer Config 

source "amazon-ebs" "basic-example" {
  region        =  "us-gov-east-1"
  instance_type =  "t2.micro"
  ssh_username  =  "rhel"
  ami_name      =  "packer_AWS {{timestamp}}"

  vault_aws_engine {
    name        = “myrole"
    engine_name = “my/namespace/my/engine”
    ttl         = "3600s"
  }

  source_ami_filter {
    filters = {
       virtualization-type = "hvm"
       name                = "RHEL-8*-x86_64-*"
       root-device-type    = "ebs"
    }
    owners      = ["309956199498"]
    most_recent = true
  }

  vpc_id    = <redacted>
  subnet_id = <redacted>
}

build {
  sources = [
    "source.amazon-ebs.basic-example"
  ]
}

  1. Execute a packer build with the configuration file:
Output 

packer build mybuild.pkr.hcl

Error: 1 error(s) occurred:

* Error reading vault secret: Error making API request.

URL: GET https://my.vault.cluster:8200/v1/my/namespace/my/engine/creds/myrole
Code: 403. Errors:

* 1 error occurred:
	* permission denied



  on mybuild.pkr.hcl line 8:
  (source code not available)

Plugin and Packer version

From packer version

Packer v1.8.6

commented

I've come across this function,GetCredsFromVault(), which seems to ignore the VAULT_TOKEN and VAULT_ADDR environment variables in favor of using the DefaultConfig struct from the Vault API library. Is this anticipated to resolve the Vault token for us?

See the following code block:

...
func (c *AccessConfig) GetCredsFromVault() error {
	// const EnvVaultAddress = "VAULT_ADDR"
	// const EnvVaultToken = "VAULT_TOKEN"
	vaultConfig := vaultapi.DefaultConfig()
	cli, err := vaultapi.NewClient(vaultConfig)
	if err != nil {
		return fmt.Errorf("Error getting Vault client: %s", err)
	}
	if c.VaultAWSEngine.EngineName == "" {
		c.VaultAWSEngine.EngineName = "aws"
	}

	secret, err := c.getCredsFromVault(cli)
...