Username & password authentication to use Oauth instead of APIKey endpoint #105
Comments
antstacks
changed the title
|
As noted by Venafi colleagues this issue is in the same spirit as:
I'd like to add that currently the documentation of the provider is not entirely clear. Yes username and password are deprecated but it doesn't make it clear what versions of Venafi Trust Protection Platform the API Key functionality is removed.
I think that the API Key functionality is removed in 22.2 from here. Adding a note on this might just be helpful to give customers the full picture. I'll see if I can PR something to enhance that documentation. |
|
Similar to #25 this issue seems like it would be handled by the venafi-token provider and a venafi-token_credential resource. Could it also be closed? |
|
@luispresuelVenafi Can this be closed similar to #25 ? |
|
Thank you for the highlight here @brental , yeah we can close this issue as automation for Tokens can be handled by our other provider, Terraform Token Provider, along with this one. |
|
Hi All, If you are still looking for an alternate solution in addition to token-provider, please have a look at curl-provider-0.7.0. This IMO works better than token provider as it's a data provider fetching token on each run. An example config :: provider "curl" {}
data "curl_request" "create_token" {
http_method = "POST"
uri = var.venafi_oauth_url
data = jsonencode({
username = sensitive(var.venafi_username)
password = sensitive(var.venafi_password)
client_id = var.venafi_client_id
scope = var.venafi_scope
})
headers = {
Content-Type = "application/json"
}
}
## then you wire the token here directly
provider "venafi" {
url = var.venafi_url
access_token = jsondecode(data.curl_request.create_token.response_body).access_token
zone = var.venafi_zone
} |
BUSINESS PROBLEM
Submitting on behalf of a customer:
As a part of the policies in place at the organization, they use short lived access tokens. With the recent deprecation of username and password functionality in the Venafi provider, it has made the process very difficult. Before, terraform handled the entire process of getting the token, but now that process has to be performed out of bounds. This has caused a significant impedance as the action of getting a token has to be performed daily as a manual process now.
Its worth mentioning as well that the field is deprecated, but doesn't mention from what TPP version it actually breaks. (If this message is coming from Venafi, than not sure how easy it would be to rectify that error handling.)
Deprecated User / Pass
Setup:
PROPOSED SOLUTION
Changing the integration to point to the Oauth endpoint to enable retrieving an access token in bounds.
Or could allow for access token and refresh token input to where terraform could utilize the refresh token functionality to automatically refresh the short lived tokens. Similar to #102
CURRENT ALTERNATIVES
I believe we could get a license from Venafi support to re-enable api key if absolutely necessary.
VENAFI EXPERIENCE
Customer that is well versed in TPP.
The text was updated successfully, but these errors were encountered: