Skip to content

Commit

Permalink
Vault dev tweaks
Browse files Browse the repository at this point in the history
  • Loading branch information
@shaidar
shaidar committed Nov 21, 2024
1 parent a819f5b commit 31f781f
Show file tree
Hide file tree
Showing 3 changed files with 20 additions and 9 deletions.
12 changes: 10 additions & 2 deletions src/ol_infrastructure/substructure/vault/policies/developer/local_developer_policy.hcl
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,15 @@
path "secret-dev/*" {
capabilities = ["read"]
capabilities = ["list", "read"]
}

path "secret-operations/*" {
capabilities = ["list"]
}

path "secret-operations/global/*" {
capabilities = ["read"]
capabilities = ["list", "read"]
}

path "transit/*" {
capabilities = ["create", "read", "update", "delete", "list"]
}
7 changes: 4 additions & 3 deletions ...structure/substructure/vault/secrets/Pulumi.substructure.vault.secrets.operations.QA.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,8 +3,9 @@ secretsprovider: awskms://alias/infrastructure-secrets-qa
encryptedkey: AQICAHg42pDDDGBhpaX14TdtzcK1hbiMYTHsYRH4k5GL5RFpIwFac25J5Xp5ipNYT8OqyxzYAAAAfjB8BgkqhkiG9w0BBwagbzBtAgEAMGgGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQMjCzAkUqlUXy+WKJyAgEQgDviF7YJRKiSMZxleOOcxGVxZB2swKbcYMLgVaOHv9wZKGhy1HnbnLuth0cfHqWH6iisARO2bj1LxW0HSQ==
config:
aws:region: us-east-1
keycloak:client_id: ol-vault-client
keycloak:client_secret:
secure: v1:O6bloRgoHCRsGakb:QZ5JfiWqpzCeO5VqKZHRtcRkIkDEVO3RgUTQEWvAbnAZuphA7XaSZO3DiW/hpwad
keycloak:url: https://sso-qa.ol.mit.edu
vault:address: https://vault-qa.odl.mit.edu
vault_server:env_namespace: operations.qa
keycloak:url: https://sso-qa.ol.mit.edu
keycloak:client_id: vault-client
keycloak:client_secret: placeholder # pragma: allowlist secret
10 changes: 6 additions & 4 deletions src/ol_infrastructure/substructure/vault/secrets/__main__.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@
if Config("vault_server").get("env_namespace"):
setup_vault_provider()
keycloak_config = Config("keycloak")
vault_config = Config("vault")

# Create the secret mount used for storing global secrets
global_vault_mount = vault.Mount(
Expand Down Expand Up @@ -87,14 +88,15 @@
backend=vault_oidc_keycloak_auth.path,
role_name="local-dev",
token_policies=[
"local_developer_policy.name",
local_developer_policy.name,
],
allowed_redirect_uris=[
f"{keycloak_config.get('url')}/realms/ol-platform-engineering"
f"{keycloak_config.get('url')}/realms/ol-platform-engineering",
f"{vault_config.get('address')}/ui/vault/auth/oidc/oidc/callback",
],
bound_audiences=[f"{keycloak_config.get('client_id')}"],
user_claim="sub",
oidc_scopes=["openid email profile"],
oidc_scopes=["email profile"],
groups_claim="groups",
bound_claims_type="string",
bound_claims={"groups": "vault-admin"},
Expand All @@ -106,7 +108,7 @@
"local-dev-group",
name="external",
type="external",
policies=["local_developer_policy.name"],
policies=[local_developer_policy.name],
metadata={
"responsibility": "1",
},
Expand Down

0 comments on commit 31f781f

Please sign in to comment.