Ptolemy v0.2.0 Ptolemy.Engines.GCP View Source

Ptolemy.Engines.GCP provides a public facing API for CRUD operations for the Vault GCP engine.

Link to this section Summary

Types

Types of Google Cloud Secrets allowed by Vault

A GCP roleset map

Functions

Creates a roleset account in the given engine from which access token's and service account key's can be generated

Creates a roleset account in the given engine, erroring out if an error occurs

Creates a Tesla Client whose base URL refers to the given GCP engine

Rotates a roleset account, erroring out if an error occurs

Generates an access token/service account key from the given roleset

Generates an access token/service account key from the given roleset, erroring out if an error occurs

Retreives the current configuration for a given roleset, erroring out if an error occurs

Updates a roleset by simply calling create with the new payload

Updates a roleset account given a new payload, erroring out if an error occurs

Link to this section Types

Link to this type

gcp_secret_type() View Source
gcp_secret_type() :: :access_token | :service_account_key

Types of Google Cloud Secrets allowed by Vault

Link to this type

roleset() View Source
roleset() :: %{
  :secret_type => String.t(),
  :project => String.t(),
  :bindings => String.t(),
  optional(:token_scopes) => [String.t()]
}

A GCP roleset map.

Fields:

  • :secret_type - type of secret generated for this role set. i.e. "access_token", "service_account_key"
  • :project - name of the GCP project to which this roleset's service account will belong
  • :bindings - bindings configuration string (read more here: https://www.vaultproject.io/docs/secrets/gcp/index.html#roleset-bindings)
  • :token_scopes - Applies only if secret type is access_token list of OAuth scopes belonging to secrets generated under this role set

Link to this section Functions

Link to this function

create(server_name, engine_name, roleset_name, roleset_payload) View Source
create(atom(), atom(), String.t(), roleset()) ::
  {:ok, String.t()} | {:error, String.t()}

Creates a roleset account in the given engine from which access token's and service account key's can be generated.

Example

iex(1)> Ptolemy.Engines.GCP.create(server, :gcp_engine, "roleset_name", %{
  bindings: "resource "//cloudresourcemanager.googleapis.com/projects/project-name" {roles = ["roles/viewer"]}",
  project: "project-name",
  secret_type: "service_account_key"
})
{:ok, "Roleset implemented"}
Link to this function

create!(server_name, engine_name, roleset_name, roleset_payload) View Source
create!(atom(), atom(), String.t(), roleset()) :: :ok | no_return()

Creates a roleset account in the given engine, erroring out if an error occurs.

Link to this function

create_client(server_name, engine_name) View Source
create_client(atom(), atom()) :: %Tesla.Client{
  adapter: term(),
  fun: term(),
  post: term(),
  pre: term()
}

Creates a Tesla Client whose base URL refers to the given GCP engine.

The GCP Engine requires this client to make API calls to the correct engine.

Link to this function

delete(server_name, engine_name, secret_type, roleset_name) View Source
delete(atom(), atom(), gcp_secret_type(), String.t()) ::
  {:ok, String.t()} | {:error, String.t()}

Rotate a roleset account.

The Vault Google Secret Engine API offers multiple endpoints for rotating roleset accounts to invalidate previously generated secrets.

There are two methods:

Rotate Roleset Account Key

  • This method is only for access_token secrets and is triggered by calling this function with :access_token
  • This method will change the KeyID that the roleset account uses to generate secrets
  • Based on testing, this method does not invalidate previously generated tokens but we're supporting it anyway

Rotate Roleset Account

  • This method is works for both gcp_secret_types and is triggered by calling this function with :service_account_key
  • This method will replace the KeyID AND the email that the roleset account uses to generate secrets
  • Based on testing, this method immediately invalidates previously generated secrets

Example

iex(5)> Ptolemy.Engines.GCP.delete(server, :gcp_engine, :service_account_key, "new_roleset")
{:ok, "Rotated"}
Link to this function

delete!(server_name, engine_name, secret_type, roleset_name) View Source
delete!(atom(), atom(), gcp_secret_type(), String.t()) :: :ok | no_return()

Rotates a roleset account, erroring out if an error occurs.

See the documentation for delete/4 for more information on the exact behaviour of rotating rolesets.

Link to this function

generate_roleset(secret_type, project, bindings, scopes \\ []) View Source
generate_roleset(gcp_secret_type(), String.t(), String.t(), [String.t()]) ::
  roleset()

Generates type roleset from inputs.

Link to this function

read(server_name, engine_name, secret_type, roleset_name) View Source
read(atom(), atom(), gcp_secret_type(), String.t()) ::
  {:ok, map()} | {:error, String.t()}

Generates an access token/service account key from the given roleset.

Example

iex(2)> Ptolemy.Engines.GCP.read(server, :gcp_engine, :service_account_key, "roleset_name")
{:ok, %{
  "key_algorithm" => "KEY_ALG_RSA_2048"
  "key_type" => "TYPE_GOOGLE_CREDENTIALS_FILE",
  "private_key_data" => "shhh....."
}}

iex(3)> Ptolemy.Engines.GCP.read(server, :gcp_engine, :access_token, "access_roleset")
{:ok, %{
  "expires_at_seconds" => 1553274174,
  "token" => "shhh.....",
  "token_ttl" => 3599
}}
Link to this function

read!(server_name, engine_name, secret_type, roleset_name) View Source
read!(atom(), atom(), gcp_secret_type(), String.t()) :: map() | no_return()

Generates an access token/service account key from the given roleset, erroring out if an error occurs.

Link to this function

read_roleset!(server_name, engine_name, roleset_name) View Source
read_roleset!(atom(), atom(), String.t()) :: roleset() | no_return()

Retreives the current configuration for a given roleset, erroring out if an error occurs.

The response can be used for changing the bindings or scopes to then update the roleset.

Link to this function

update(server_name, engine_name, roleset_name, roleset_payload) View Source
update(atom(), atom(), String.t(), roleset()) ::
  {:ok, String.t()} | {:error, String.t()}

Updates a roleset by simply calling create with the new payload.

This changes the account email.

Note that once a roleset is created, only the attributes bindings and token_scopes can be changed.

If you are unsure of a roleset's configuration, it is recommended that you use the function read_roleset!/3, update the resulting map, and then call update with the new map to ensure that you are modifying only the editable attributes.

Example

iex(4)> Ptolemy.Engines.GCP.update(server, :gcp_engine, "roleset_name", %{
  bindings: "resource "//cloudresourcemanager.googleapis.com/projects/project-name" {roles = ["roles/editor"]}",
  project: "project-name",
  secret_type: "service_account_key"
})
{:ok, "Roleset implemented"}
Link to this function

update!(server_name, engine_name, roleset_name, roleset_payload) View Source
update!(atom(), atom(), String.t(), roleset()) :: :ok | no_return()

Updates a roleset account given a new payload, erroring out if an error occurs.