Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Hashicorp vault auth allow tokens directly set in TriggerAuthentication #6026

Open
JorTurFer opened this issue Aug 2, 2024 · 4 comments · May be fixed by #6143
Open

Hashicorp vault auth allow tokens directly set in TriggerAuthentication #6026

JorTurFer opened this issue Aug 2, 2024 · 4 comments · May be fixed by #6143
Assignees
@shardulsrivastava
Labels
bug Something isn't working good first issue Good for newcomers help wanted Looking for support from community security All issues related to security

Comments

@JorTurFer
Copy link
Member

JorTurFer commented Aug 2, 2024
edited
Loading

Report

Currently, hashicorp vault auth supports 2 login methods, one based on service account and other based on tokens.
The problem is that the token isn't provided from a secret but from the TriggerAuthentication directly. This is a security risk as TriggerAuthentication isn't a sensitive API by design:
image
image

Expected Behavior

The token should be recovered from a secret

Actual Behavior

The token is read from the TriggerAuthentication manifest
@JorTurFer JorTurFer added bug Something isn't working security All issues related to security help wanted Looking for support from community good first issue Good for newcomers labels Aug 2, 2024
@shardulsrivastava
Copy link

I would like to work on this issue, can you pls assign it to me @JorTurFer.

@JorTurFer
Copy link
Member Author

Nice! Thanks for your help 😄
As this issues has been there for a long time, we should support both ways at the same time to follow the deprecation policy. Basically, you have to add support to read the value from a secret OR the current approach (and we can eventually remove the support to the current approach after some versions)

@dttung2905
Copy link
Contributor

Hello @shardulsrivastava are you working on it? If not, I can give it a try too

@shardulsrivastava
Copy link

@dttung2905 I am working on this right now.

@dttung2905 dttung2905 linked a pull request Sep 7, 2024 that will close this issue
Open
9 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@shardulsrivastava shardulsrivastava

Labels
bug Something isn't working good first issue Good for newcomers help wanted Looking for support from community security All issues related to security
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

WIP: Allow using secretRef for hashicorpVault auth dttung2905/keda
3 participants
@shardulsrivastava @dttung2905 @JorTurFer