From 5579394b48eca965c1db80333a6dda4602ef6990 Mon Sep 17 00:00:00 2001 From: Alexander Scheel Date: Wed, 27 Oct 2021 12:07:18 -0400 Subject: [PATCH] go-kms-wrapping update for Azure Key Vault's Managed HSM offering (#12934) * Update to hashicorp/go-kms-wrapping@v0.6.8 Co-authored-by: Rachel Culpepper <84159930+rculpepper@users.noreply.github.com> Signed-off-by: Alexander Scheel * Add documentation around Managed HSM KeyVault This introduces the "resource" config parameter and the AZURE_AD_RESOURCE environment variable from the updated go-kms-wrapping dependency. Co-authored-by: Rachel Culpepper <84159930+rculpepper@users.noreply.github.com> Signed-off-by: Alexander Scheel * Add changelog entry for g-k-w changes Includes changes from @stevendpclark. Co-authored-by: Rachel Culpepper <84159930+rculpepper@users.noreply.github.com> Signed-off-by: Alexander Scheel Co-authored-by: Rachel Culpepper <84159930+rculpepper@users.noreply.github.com> --- changelog/12934.txt | 3 +++ go.mod | 4 ++-- go.sum | 8 +++++--- .../content/docs/configuration/seal/azurekeyvault.mdx | 9 +++++++++ 4 files changed, 19 insertions(+), 5 deletions(-) create mode 100644 changelog/12934.txt diff --git a/changelog/12934.txt b/changelog/12934.txt new file mode 100644 index 000000000..fbc6aa50b --- /dev/null +++ b/changelog/12934.txt @@ -0,0 +1,3 @@ +```release-note:bug +secrets/keymgmt (enterprise): Fix support for Azure Managed HSM Key Vault instances. +``` diff --git a/go.mod b/go.mod index 19199dd1c..a026aaf38 100644 --- a/go.mod +++ b/go.mod @@ -63,7 +63,7 @@ require ( github.com/hashicorp/go-discover v0.0.0-20210818145131-c573d69da192 github.com/hashicorp/go-gcp-common v0.7.0 github.com/hashicorp/go-hclog v1.0.0 - github.com/hashicorp/go-kms-wrapping v0.6.7 + github.com/hashicorp/go-kms-wrapping v0.6.8 github.com/hashicorp/go-memdb v1.3.2 github.com/hashicorp/go-multierror v1.1.1 github.com/hashicorp/go-raftchunking v0.6.3-0.20191002164813-7e9e8525653a @@ -172,7 +172,7 @@ require ( golang.org/x/crypto v0.0.0-20210817164053-32db794688a5 golang.org/x/net v0.0.0-20211020060615-d418f374d309 golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d - golang.org/x/sys v0.0.0-20211025112917-711f33c9992c + golang.org/x/sys v0.0.0-20211025201205-69cdffdb9359 golang.org/x/term v0.0.0-20210220032956-6a3ed077a48d golang.org/x/tools v0.1.5 google.golang.org/api v0.29.0 diff --git a/go.sum b/go.sum index c36147d83..ace13c32a 100644 --- a/go.sum +++ b/go.sum @@ -653,8 +653,8 @@ github.com/hashicorp/go-immutable-radix v1.1.0/go.mod h1:0y9vanUI8NX6FsYoO3zeMjh github.com/hashicorp/go-immutable-radix v1.3.0/go.mod h1:0y9vanUI8NX6FsYoO3zeMjhV/C5i9g4Q3DwcSNZ4P60= github.com/hashicorp/go-immutable-radix v1.3.1 h1:DKHmCUm2hRBK510BaiZlwvpD40f8bJFeZnpfm2KLowc= github.com/hashicorp/go-immutable-radix v1.3.1/go.mod h1:0y9vanUI8NX6FsYoO3zeMjhV/C5i9g4Q3DwcSNZ4P60= -github.com/hashicorp/go-kms-wrapping v0.6.7 h1:JiEd/3l71icodhvkqwrd1G/nPay9jyupzkOVxG+P2fc= -github.com/hashicorp/go-kms-wrapping v0.6.7/go.mod h1:rmGmNzO/DIBzUyisFjeocXvazOlxgO5K8vsFQkUn7Hk= +github.com/hashicorp/go-kms-wrapping v0.6.8 h1:Tu4X6xRFyV3i9SSthYVGnyNaof3VTxVo2tBQ7bdHiwE= +github.com/hashicorp/go-kms-wrapping v0.6.8/go.mod h1:rmGmNzO/DIBzUyisFjeocXvazOlxgO5K8vsFQkUn7Hk= github.com/hashicorp/go-kms-wrapping/entropy v0.1.0 h1:xuTi5ZwjimfpvpL09jDE71smCBRpnF5xfo871BSX4gs= github.com/hashicorp/go-kms-wrapping/entropy v0.1.0/go.mod h1:d1g9WGtAunDNpek8jUIEJnBlbgKS1N2Q61QkHiZyR1g= github.com/hashicorp/go-memdb v1.3.2 h1:RBKHOsnSszpU6vxq80LzC2BaQjuuvoyaQbkLTf7V7g8= @@ -1575,8 +1575,9 @@ golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.0.0-20210616094352-59db8d763f22/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210927094055-39ccf1dd6fa6/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20211025112917-711f33c9992c h1:i4MLwL3EbCgobekQtkVW94UBSPLMadfEGtKq+CAFsEU= golang.org/x/sys v0.0.0-20211025112917-711f33c9992c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20211025201205-69cdffdb9359 h1:2B5p2L5IfGiD7+b9BOoRMC6DgObAVZV+Fsp050NqXik= +golang.org/x/sys v0.0.0-20211025201205-69cdffdb9359/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210220032956-6a3ed077a48d h1:SZxvLBoTP5yHO3Frd4z4vrF+DBX9vMVanchswa69toE= @@ -1769,6 +1770,7 @@ google.golang.org/protobuf v1.27.1 h1:SnqbnDw1V7RiZcXPx5MEeqPv2s79L9i7BJUlG/+Rur google.golang.org/protobuf v1.27.1/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= gopkg.in/airbrake/gobrake.v2 v2.0.9/go.mod h1:/h5ZAUhDkGaJfjzjKLSjv6zCL6O0LLBxU4K+aSYdM/U= gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw= +gopkg.in/asn1-ber.v1 v1.0.0-20181015200546-f715ec2f112d/go.mod h1:cuepJuh7vyXfUyUwEgHQXw849cJrilpS5NeIjOWESAw= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= diff --git a/website/content/docs/configuration/seal/azurekeyvault.mdx b/website/content/docs/configuration/seal/azurekeyvault.mdx index 13f127967..b75d65aec 100644 --- a/website/content/docs/configuration/seal/azurekeyvault.mdx +++ b/website/content/docs/configuration/seal/azurekeyvault.mdx @@ -57,6 +57,10 @@ These parameters apply to the `seal` stanza in the Vault configuration file: - `key_name` `(string: )`: The Key Vault key to use for encryption and decryption. May also be specified by the `VAULT_AZUREKEYVAULT_KEY_NAME` environment variable. +- `resource` `(string: "vault.azure.net")`: The AZ KeyVault resource's DNS Suffix to connect to. + May also be specified in the `AZURE_AD_RESOURCE` environment variable. + Needs to be changed to connect to Azure's Managed HSM KeyVault instance type. + ## Authentication Authentication-related values must be provided, either as environment @@ -68,6 +72,7 @@ Azure authentication values: - `AZURE_CLIENT_ID` - `AZURE_CLIENT_SECRET` - `AZURE_ENVIRONMENT` +- `AZURE_AD_RESOURCE` ~> **Note:** If Vault is hosted on Azure, Vault can use Managed Service Identities (MSI) to access Azure instead of an environment and shared client id @@ -79,6 +84,10 @@ prevents your Azure credentials from being stored as clear text. Refer to the Hardening](https://learn.hashicorp.com/vault/day-one/production-hardening) guide for more best practices. +-> **Note:** If you are using a Managed HSM KeyVault, `AZURE_AD_RESOURCE` or the `resource` +configuration parameter must be specified; usually this should point to `managedhsm.azure.net`, +but could point to other suffixes depending on Azure environment. + ## `azurekeyvault` Environment Variables Alternatively, the Azure Key Vault seal can be activated by providing the following