Hello,
Since we have a problem to logs username in logs (Topic here : Email and User Name in logs - #5 by thibaut1405 ), we try to use the credential mapping override to bypass this problem. But I have a problem in the configuration that I don’t understand.
We use Vault to provide credential for the connection to Postgres Database
That’s our configuration
resource "boundary_credential_library_vault" "vault_store" {
for_each = {
for db_name, db in local.scope : format("%s-%s",db.scope_name,db.db_name) => db
}
name = format("%s-%s",each.value.scope_name,each.value.db_name)
description = each.value.description
credential_store_id = boundary_credential_store_vault.vault_store[each.value.scope_name].id
path = format("database/creds/%s-%s",each.value.scope_name,each.value.db_name)
http_method = "GET"
credential_type = "username_password"
credential_mapping_overrides = {
username_attribute = "{{.Account.Name}}"
}
}
And we got the error when we try to connect to a target
Error from controller when performing authorize-session action against given target
Error information:
Kind: Internal
Message: targets.(Service).AuthorizeSession: mapping vault secret to a credential type failed, integrity violation: error #3017
Status: 500
context: Error from controller when performing authorize-session action against given target
Boundary version : 0.11.1
Vault version : 1.12
Do we need to do something in Vault to make it work properly ?
Regards
Thibaut
At first glance it looks to me like the secret returned by Vault isn’t able to be mapped to a username_password
credential type. What does the secret look like when you retrieve it from Vault in JSON format?
an example of username and password returned by vault
{
"request_id": "77a8ce89-42e9-53c5-3af5-702f1d138db0",
"lease_id": "database/creds/team-boundary/pEcqy0AVl9AHQ4QP9YXj5SDI",
"renewable": true,
"lease_duration": 180,
"data": {
"password": "UI-cRtkMyqgYrF-4Swau",
"username": "v-token-team-db-arN9zAbELGK76xZkV2UZ-1670425842"
},
"wrap_info": null,
"warnings": null,
"auth": null
}
Hi @thibaut1405
The mapping overrides for Vault credential libraries allow an admin to override the field attributes in the credential, they do not override the values of the credential returned by Vault.
By default a username_password
credential looks for two fields username
and password
, using your example:
"data": {
"password": "UI-cRtkMyqgYrF-4Swau",
"username": "v-token-team-db-arN9zAbELGK76xZkV2UZ-1670425842"
},
This would be parsed by Boundary as a username_password
credential as it was before you added the override
. However, if the credential from Vault looked like:
"data": {
"my-password": "UI-cRtkMyqgYrF-4Swau",
"username": "v-token-team-db-arN9zAbELGK76xZkV2UZ-1670425842"
},
Boundary would not parse it correctly since it did not find the default password
field. Here the admin would need to configure a credential_mapping_override
for the password_attribute
as follows:
credential_mapping_overrides = {
password_attribute = "my-password"
}
So by adding the override
Boundary is now looking for the username in a field that is the Value of .Account.Name
and not finding it, resulting in your error.
1 Like
Ho okay so I misunderstood something, thank you for your response.
Is it possible to create custom username based on firstname returned from boundary to vault?
For example a user named joe tries to connect to db target in boundary where secrets brokered by vault
creating username as “joe_v_dev” instead of some random “v-root_admi-Lt70Rn1SSbVQHdblZsUF-1681461221”
I am able to find article on username templating in vault but not able to find anything related to boundary & vault integration
Thanks!