Skip to content

Home

Jump to bottom
Antoine Baudrand edited this page Jan 29, 2024 · 2 revisions

Installation

Using pre-built releases (recommended)

You can find pre-built releases of the plugin here. Once you have downloaded the latest archive corresponding to your target OS, uncompress it to retrieve the vault-plugin-secrets-exoscale plugin binary file.

From Sources

If you prefer to build the plugin from sources, clone the GitHub repository locally and run the command make build from the root of the sources directory. Upon successful compilation, the resulting vault-plugin-secrets-exoscale binary is stored in the bin/ directory.

Configuration

Copy the plugin binary into a location of your choice; this directory must be specified as the plugin_directory in the Vault configuration file:

plugin_directory = "path/to/plugin/directory"

Start a Vault server with this configuration file:

$ vault server -config=path/to/vault/config.hcl

Once the server is started, register the plugin in the Vault server's plugin catalog:

$ vault plugin register \
    -sha256="$(sha256sum path/to/plugin/directory/vault-plugin-secrets-exoscale | cut -d " " -f 1)" \
    command="vault-plugin-secrets-exoscale"

You can now enable the Exoscale secrets plugin:

$ vault secrets enable -plugin-name="exoscale" plugin

Usage

Secrets Backend Configuration

In order to be able to issue Vault secrets, the backend must be configured with root Exoscale API credentials and an Exoscale zone beforehand:

$ vault write exoscale/config/root         \
    root_api_key=${EXOSCALE_API_KEY}       \
    root_api_secret=${EXOSCALE_API_SECRET} \
    zone=ch-gva-2

Optionally, Exoscale API key secrets lease duration can be set at backend level (by default, the Vault server system-level value is used):

vault write exoscale/config/lease \
    ttl=24h \
    max_ttl=48h

Backend Roles

Backend roles are strictly Vault-local, there is no such concept in the Exoscale IAM service: when creating a role, you can optionally specify a list of API operations that Vault-generated API keys will be restricted to when referencing this role. If no operations are specified during the role creation, resulting API keys based on this role will be unrestricted.

Note: if the Exoscale root API key configured in the backend is itself restricted, you will not be able to specify API operations that the root API key is not allowed to perform; the list of available API operations is documented on the Exoscale API website.

$ vault write exoscale/role/list-only \
	operations=list-zones,list-instance-types \
    renewable=true

Exoscale API Keys Secrets

Exoscale API key secrets are tied to a backend role, depending on which the generated API key may be restricted to certain API operations set in the specified role.

$ vault read exoscale/apikey/list-only

Note: the Vault backend doesn't store the generated API credentials, there is no way to recover an API secret after it's been returned during the secret creation.

Documentation

The complete backend plugin usage documentation is available through the command vault path-help exoscale.

Clone this wiki locally