Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove the key_metadata_file and use_msi (azure_key_vault only) settings #5207

Merged
merged 3 commits into from
Jun 10, 2024
Merged

Remove the key_metadata_file and use_msi (azure_key_vault only) settings #5207

merged 3 commits into from
Jun 10, 2024

Conversation

amartinezfayo
Copy link
Member

  • Removed the deprecated setting key_metadata_file from the aws_kms, azure_key_vault and gcp_kms plugins.
  • Updated the documentation describing how the key_identifier_file and key_identifier_value settings are used.
  • Removed the deprecated use_msi setting from the azure_key_vault plugin. A separate PR removing that setting from the azure_msi plugin will be opened.

@amartinezfayo
Remove the key_metadata_file and use_msi (azure_key_vault only) settings
880e081 
Signed-off-by: Agustín Martínez Fayó <amartinezfayo@gmail.com>
@amartinezfayo amartinezfayo added this to the 1.10.0 milestone Jun 10, 2024
azdagron
azdagron reviewed Jun 10, 2024
View reviewed changes
doc/plugin_server_keymanager_aws_kms.md Outdated
Comment on lines 30 to 33
If you need more control over the identifier that's used for the server, the
`key_identifier_value` setting can be used instead. This allows to specify a
static identifier for the server instance, and is appropriate in situations
where a key identifier file can't be persisted.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
If you need more control over the identifier that's used for the server, the
`key_identifier_value` setting can be used instead. This allows to specify a
static identifier for the server instance, and is appropriate in situations
where a key identifier file can't be persisted.
If you need more control over the identifier that's used for the server, the
`key_identifier_value` setting can be used to specify a
static identifier for the server instance. This setting is appropriate in situations
where a key identifier file can't be persisted.

doc/plugin_server_keymanager_aws_kms.md Outdated

Aliases managed by the plugin have the following form: `alias/SPIRE_SERVER/{TRUST_DOMAIN}/{SERVER_ID}/{KEY_ID}`. The `{SERVER_ID}` is an auto-generated ID unique to the server and is persisted in the _Key Metadata File_ (see the `key_metadata_file` configurable). This ID allows multiple servers in the same trust domain (e.g. servers in HA deployments) to manage keys with identical `{KEY_ID}`'s without collision. The `{KEY_ID}` in the alias name is encoded to use a [character set accepted by KMS](https://docs.aws.amazon.com/kms/latest/APIReference/API_CreateAlias.html#API_CreateAlias_RequestSyntax).
The plugin assigns [aliases](https://docs.aws.amazon.com/kms/latest/developerguide/kms-alias.html) to the Customer Master Keys that manages. The aliases are used to identify and name keys that are managed by the plugin.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
The plugin assigns [aliases](https://docs.aws.amazon.com/kms/latest/developerguide/kms-alias.html) to the Customer Master Keys that manages. The aliases are used to identify and name keys that are managed by the plugin.
The plugin assigns [aliases](https://docs.aws.amazon.com/kms/latest/developerguide/kms-alias.html) to the Customer Master Keys that it manages. The aliases are used to identify and name keys that are managed by the plugin.

doc/plugin_server_keymanager_azure_key_vault.md Outdated
Comment on lines 68 to 71
If you need more control over the identifier that's used for the server, the
`key_identifier_value` setting can be used instead. This allows to specify a
static identifier for the server instance, and is appropriate in situations
where a key identifier file can't be persisted.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

See other suggestion.

doc/plugin_server_keymanager_gcp_kms.md
Consequently, if the file is lost, the plugin will not be able to identify keys
that it has previously managed and will recreate new keys on demand.

If you need more control over the identifier that's used for the server, the
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

See other suggestion.

@amartinezfayo
Address PR comments
c8f50ef 
Signed-off-by: Agustín Martínez Fayó <amartinezfayo@gmail.com>
@amartinezfayo amartinezfayo merged commit 04a0bcd into spiffe:main Jun 10, 2024
33 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@azdagron azdagron azdagron approved these changes

@evan2645 evan2645 Awaiting requested review from evan2645 evan2645 is a code owner

@MarcosDY MarcosDY Awaiting requested review from MarcosDY MarcosDY is a code owner

@rturner3 rturner3 Awaiting requested review from rturner3 rturner3 is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
1.10.0
Development

Successfully merging this pull request may close these issues.
2 participants
@amartinezfayo @azdagron