Native Login method for Go client #12796
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
ncabatoff
reviewed
Oct 13, 2021
…ent login options
calvn
reviewed
Oct 25, 2021
calvn
reviewed
Oct 25, 2021
calvn
reviewed
Oct 25, 2021
This reverts commit 1ef3949.
calvn
approved these changes
Oct 26, 2021
qk4l
pushed a commit
to qk4l/vault
that referenced
this pull request
Feb 4, 2022
* Native Login method, userpass and approle interfaces to implement it * Add AWS auth interface for Login, unexported struct fields for now * Add Kubernetes client login * Add changelog * Add a test for approle client login * Return errors from LoginOptions, use limited reader for secret ID * Fix auth comment length * Return actual type not interface, check for client token in tests * Require specification of secret ID location using SecretID struct as AppRole arg * Allow password from env, file, or plaintext * Add flexibility in how to fetch k8s service token, but still with default * Avoid passing strings that need to be validated by just having different login options * Try a couple real tests with approle and userpass login * Fix method name in comment * Add context to Login methods, remove comments about certain sources being inherently insecure * Perform read of secret ID at login time * Read password from file at login time * Pass context in integ tests * Read env var values in at login time, add extra tests * Update api version * Revert "Update api version" This reverts commit 1ef3949. * Update api version in all go.mod files
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This adds a Login function to the Go client that can be called by passing it anything that satisfies the AuthMethod interface. Functional options pattern is used to allow for defaults, and then each AuthMethod's Login method will do what is necessary to construct and perform the client.Logical().Write() request, and then set the client token.
For the simpler cases (userpass, Kubernetes) this just allows users to use more discoverable, idiomatic Go patterns; for the more complex logins (such as AWS) this should save a ton of headaches as users won't have to figure out how to generate the credentials chain themselves, etc.
Probably will need to add the GCP and Azure ones after 1.9, but I'm hoping to at least get these (AWS, AppRole, Kubernetes--and userpass just for kicks) into the release.