Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cannot setup SSH Certificates as a Brokered Credentials Sources #5256

Open
shellwhale opened this issue Nov 19, 2024 · 0 comments
Open

Cannot setup SSH Certificates as a Brokered Credentials Sources #5256

shellwhale opened this issue Nov 19, 2024 · 0 comments
Labels
bug Something isn't working

Comments

@shellwhale
Copy link

shellwhale commented Nov 19, 2024
edited
Loading

Hello.

I cannot make certificate injection work either so I tried certificate brokering.
While trying to setup SSH Certificates as a Brokered Credentials Sources with Terraform the following error is triggered :

module.my_project.boundary_host_catalog_static.servers: Refreshing state... [id=hcst_M0SoS1sEC2]
module.my_project.boundary_credential_store_vault.foo: Refreshing state... [id=csvlt_HJ7VFn0jsm]
module.my_project.boundary_host_static.my_project: Refreshing state... [id=hst_e1TNApyv4v]
module.my_project.boundary_host_set_static.my_project: Refreshing state... [id=hsst_ZF5vWrXgBr]
module.my_project.boundary_target.ssh: Refreshing state... [id=ttcp_6L5Cr0OUss]
module.my_project.boundary_credential_library_vault_ssh_certificate.foo: Refreshing state... [id=clvsclt_nV8DMWuBcg]

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # module.my_project.boundary_target.ssh will be updated in-place
  ~ resource "boundary_target" "ssh" {
      ~ brokered_credential_source_ids             = [
          + "clvsclt_nV8DMWuBcg",
        ]
        id                                         = "ttcp_6L5Cr0OUss"
        name                                       = "ssh"
        # (13 unchanged attributes hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.
module.my_project.boundary_target.ssh: Modifying... [id=ttcp_6L5Cr0OUss]
╷
│ Error: error updating credential sources in target: {"kind":"InvalidArgument","message":"Errors in provided fields.","details":{"request_fields":[{"name":"brokered_credential_source_ids","description":"Incorrectly formatted credential source identifier \"clvsclt_nV8DMWuBcg\"."}]}}
│
│   with module.my_project.boundary_target.ssh,
│   on example_project_my_project/main.tf line 57, in resource "boundary_target" "ssh":
│   57: resource "boundary_target" "ssh" {
│

A (similar?) error occurs when trying to achieve the same thing using the UI.

image

Here is the Terraform code:

variable "organization_id" {
}

resource "boundary_scope" "project" {
  name        = "project"
  description = "Projet project"

  # This parameter is the parent scope.  It can be either the global scope, an
  # org-level scope, or a project-level scope.
  scope_id = var.organization_id

  # Using the auto_create_x_role flags can help you get set up faster
  # becasue you won't have to explicitly define these roles.
  auto_create_admin_role   = true
  auto_create_default_role = true
}

resource "boundary_host_catalog_static" "servers" {
  scope_id = boundary_scope.project.id
}

resource "boundary_host_static" "project" {
  type            = "static"
  name            = "project"
  description     = "Machine project"
  address         = "192.168.0.10"
  host_catalog_id = boundary_host_catalog_static.servers.id
}

resource "boundary_host_set_static" "project" {
  type            = "static"
  name            = "project"
  description     = "Host set for project servers"
  host_catalog_id = boundary_host_catalog_static.servers.id
  host_ids        = [boundary_host_static.project.id]
}

resource "boundary_credential_store_vault" "foo" {
  name        = "foo"
  description = "My first Vault credential store!"
  address     = "http://vault:8200"                                                                               # change to Vault address
  token       = "CENSORED" # change to valid Vault token
  scope_id    = boundary_scope.project.id
}

resource "boundary_credential_library_vault_ssh_certificate" "foo" {
  name                = "foo"
  description         = "My first Vault SSH certificate credential library!"
  key_type            = "rsa"
  key_bits            = 4096
  credential_store_id = boundary_credential_store_vault.foo.id
  path                = "ssh/sign/boundary-client" # change to correct Vault endpoint and role
  username            = "root"                     # change to valid username
}

resource "boundary_target" "ssh" {
  type                     = "tcp"
  name                     = "ssh"
  description              = "SSH server"
  enable_session_recording = false
  scope_id                 = boundary_scope.project.id
  session_connection_limit = -1
  session_max_seconds      = 3600
  default_port             = 22

  host_source_ids = [
    boundary_host_set_static.project.id
  ]

  brokered_credential_source_ids = [
    boundary_credential_library_vault_ssh_certificate.foo.id
  ]

  # injected_application_credential_source_ids = [
  #   boundary_credential_library_vault_ssh_certificate.foo.id
  # ]
}
@shellwhale shellwhale added the bug Something isn't working label Nov 19, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@shellwhale