add ability to specify key vault managers #11
Conversation
|
This looks fine syntactically speaking, but how does it help someone who's trying to retrieve a secret from Key Vault in a TFE workspace running with temp credentials? Also, looking at these lines, the permissions seem arbitrary and limited. If someone is designated as a "manager" of a KV instance, say they delete a secret and want to create a new one with the same name, they wouldn't be able to do so because of the soft delete feature, and due to their limited permissions, they also wouldn't be able to purge the deleted secret. |
|
@fabiendelpierre The Azure key vault created here is designed to only be used by the Hashicorp Vault cluster. While it could certainly be opened up to be shared with other services, there's no real pricing advantage to do so. The "manager" role in this capacity is just so that terraform is able to verify that the resources in question have been created, etc. Within that context, do you still feel the permissions are too restrictive? |
|
Oh ok. Forgot about that, sorry. So for my first question then: The problem is the TFE workspace changes identities with every run. The proposed change is to designate a "manager" identity that never changes. How will the TFE workspace assume that identity? |
|
TFE generates its temporary creds based on the group its a part of, which I believe we are adding that group ID into the keyvault. So any temporary creds coming from that group should have the required permission on the keyvault itself. |
|
While testing this though ran into the issue that once you want to delete your keyvault at some point it runs into issues. I at first thought it would require |
Fixes #10
Addresses access issues when terraform runs as a temporary identity.