How to invoke a vault API from a vault plugin?

[Dave Dykstra]

[I tried asking this in the discuss.hashicorp.com vault group but
there's no answer there yet.]

Could someone please direct me to example code that invokes a vault API
from a vault plugin? Or is that something that is never done?

In particular, I'd like to be able to write to a secrets plugin from an
auth plugin, and so far I haven't found any similar examples or
otherwise figured out how to do it. More details of what I'm trying to
do is in vault-plugin-auth-jwt issue 101:
https://github.com/hashicorp/vault-plugin-auth-jwt/issues/101

The closest thing I found was a similar question in this forum a month
ago but it also did not get an answer:
https://groups.google.com/d/msg/vault-tool/Zg6ynh0hju4/bD3lR4ZDGQAJ

Dave

[Vishal Nayak]

Hi Dave,

Creating a Vault API client within the plugin with a token that has
permissions to read/write to any path seems to be the way to go. It
would be similar to any other process talking to a Vault server. A
plugin can't just read/write to any other plugin's paths; it would be
side stepping the entire ACL system if it did.

Regards,
Vishal

> --
> This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
>
> GitHub Issues: https://github.com/hashicorp/vault/issues
> IRC: #vault-tool on Freenode
> ---
> You received this message because you are subscribed to the Google Groups "Vault" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/20200325214636.GA75887%40fnal.gov.



--
vn

[Dave Dykstra]

Hi Vishal,

Yes that's the way it would need to be done, but my question is has it
been done before so I'd have some guidance on how to best do it? I'm
wondering if there are any libraries beyond the standard http libraries
that would make any of it easier. I have found various examples in test
programs that invoke vault APIs, but they start from scratch reading
$VAULT_ADDR and other environment variables. I would think there would
at least be a library function that does most of the common things of a
vault client, unless plugins otherwise never communicate with each other.

An alternative has been suggested in
https://github.com/puppetlabs/vault-plugin-secrets-oauthapp/pull/6
to instead make a single plugin that is both a vault auth and secrets
plugin. Maybe that's a better way to go for this case.

Dave

On Wed, Mar 25, 2020 at 06:21:52PM -0400, Vishal Nayak wrote:
> Hi Dave,
>
> Creating a Vault API client within the plugin with a token that has
> permissions to read/write to any path seems to be the way to go. It
> would be similar to any other process talking to a Vault server. A
> plugin can't just read/write to any other plugin's paths; it would be
> side stepping the entire ACL system if it did.
>
> Regards,
> Vishal
>
> On Wed, Mar 25, 2020 at 5:47 PM Dave Dykstra <d...@fnal.gov> wrote:
> >
> > [I tried asking this in the discuss.hashicorp.com vault group but
> > there's no answer there yet.]
> >
> > Could someone please direct me to example code that invokes a vault API
> > from a vault plugin? Or is that something that is never done?
> >
> > In particular, I'd like to be able to write to a secrets plugin from an
> > auth plugin, and so far I haven't found any similar examples or
> > otherwise figured out how to do it. More details of what I'm trying to
> > do is in vault-plugin-auth-jwt issue 101:
> > https://github.com/hashicorp/vault-plugin-auth-jwt/issues/101
> >
> > The closest thing I found was a similar question in this forum a month
> > ago but it also did not get an answer:
> > https://groups.google.com/d/msg/vault-tool/Zg6ynh0hju4/bD3lR4ZDGQAJ
> >
> > Dave
> >
> > --

> > This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html . Behavior in violation of those guidelines may result in your removal from this mailing list.

> >
> > GitHub Issues: https://github.com/hashicorp/vault/issues
> > IRC: #vault-tool on Freenode
> > ---
> > You received this message because you are subscribed to the Google Groups "Vault" group.
> > To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
> > To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/20200325214636.GA75887%40fnal.gov .
>
>
>
> --
> vn
>
> --

> This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html . Behavior in violation of those guidelines may result in your removal from this mailing list.

>
> GitHub Issues: https://github.com/hashicorp/vault/issues
> IRC: #vault-tool on Freenode
> ---
> You received this message because you are subscribed to the Google Groups "Vault" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.

> To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/CAFy0tpxzGmyCWUTMqfw8PhdM_gEOfExsX-u2Jkdg%2BHOhXJqo%3Dg%40mail.gmail.com .

[Dave Dykstra]

I stumbled across a good example at
https://github.com/hashicorp/packer/blob/master/builder/amazon/common/access_config.go#L226

In fact there is an library function provided, the api.NewClient() function:
https://godoc.org/github.com/hashicorp/vault/api#NewClient

The idea of making a single plugin that was both a vault auth and vault
secrets plugin did not work; a plugin may only be one or the other, and
every external plugin runs in its own separate process. Instead, I
submitted this PR to write from the auth plugin to a secrets plugin:
https://github.com/hashicorp/vault-plugin-auth-jwt/pull/107

Dave