Enable AppRole authentication support for Vault

Expose Castellan's AppRole configuration options in the vault_plugin section to allow access to Vault to be managed using AppRoles which is better aligned to providing long term application access to Vault with policy based ACL's. Change-Id: I2bafd06e2e2b1bfefe2b4c4bcbecf80d924db205 Related-Bug: 1796851 Story: 2004017 Task: 27003 Depends-On: I59dfe31adb72712c53d49f66d9ac894e43e8bbad
2018-10-10 13:41:03 +01:00 · 2018-10-10 13:41:03 +01:00 · 77d94ff6a9
parent 34faa76587
commit 77d94ff6a9
1 changed files with 6 additions and 0 deletions
--- a/barbican/plugin/vault_secret_store.py
+++ b/barbican/plugin/vault_secret_store.py
@ -28,6 +28,10 @@ vault_opt_group = cfg.OptGroup(name='vault_plugin', title='Vault Plugin')
 vault_opts = [
    cfg.StrOpt('root_token_id',
               help='root token for vault'),
+    cfg.StrOpt('approle_role_id',
+               help='AppRole role_id for authentication with vault'),
+    cfg.StrOpt('approle_secret_id',
+               help='AppRole secret_id for authentication with vault'),
    cfg.StrOpt('vault_url',
               default=DEFAULT_VAULT_URL,
               help='Use this endpoint to connect to Vault, for example: '
@ -69,6 +73,8 @@ class VaultSecretStore(css.CastellanSecretStore):
            vault_conf,
            backend='vault',
            vault_root_token_id=conf.vault_plugin.root_token_id,
+            vault_approle_role_id=conf.vault_plugin.approle_role_id,
+            vault_approle_secret_id=conf.vault_plugin.approle_secret_id,
            vault_url=conf.vault_plugin.vault_url,
            vault_ssl_ca_crt_file=conf.vault_plugin.ssl_ca_crt_file,
            vault_use_ssl=conf.vault_plugin.use_ssl