Ptolemy v0.2.0 Ptolemy.Engines.GCP View Source
Ptolemy.Engines.GCP
provides a public facing API for CRUD operations for the Vault GCP engine.
Link to this section Summary
Functions
Creates a roleset account in the given engine from which access token
's and service account key's can be generated
Creates a roleset account in the given engine, erroring out if an error occurs
Creates a Tesla Client whose base URL refers to the given GCP engine
Rotate a roleset account
Rotates a roleset account, erroring out if an error occurs
Generates type roleset
from inputs
Generates an access token
/service account key
from the given roleset
Generates an access token
/service account key
from the given roleset, erroring out if an error occurs
Retreives the current configuration for a given roleset, erroring out if an error occurs
Updates a roleset by simply calling create
with the new payload
Updates a roleset account given a new payload, erroring out if an error occurs
Link to this section Types
gcp_secret_type()
View Source
gcp_secret_type() :: :access_token | :service_account_key
gcp_secret_type() :: :access_token | :service_account_key
Types of Google Cloud Secrets allowed by Vault
roleset() View Source
A GCP roleset map.
Fields:
:secret_type
- type of secret generated for this role set. i.e. "access_token", "service_account_key":project
- name of the GCP project to which this roleset's service account will belong:bindings
- bindings configuration string (read more here: https://www.vaultproject.io/docs/secrets/gcp/index.html#roleset-bindings):token_scopes
- Applies only if secret type isaccess_token
list of OAuth scopes belonging to secrets generated under this role set
Link to this section Functions
create(server_name, engine_name, roleset_name, roleset_payload) View Source
Creates a roleset account in the given engine from which access token
's and service account key's can be generated.
Example
iex(1)> Ptolemy.Engines.GCP.create(server, :gcp_engine, "roleset_name", %{
bindings: "resource "//cloudresourcemanager.googleapis.com/projects/project-name" {roles = ["roles/viewer"]}",
project: "project-name",
secret_type: "service_account_key"
})
{:ok, "Roleset implemented"}
create!(server_name, engine_name, roleset_name, roleset_payload) View Source
Creates a roleset account in the given engine, erroring out if an error occurs.
create_client(server_name, engine_name) View Source
Creates a Tesla Client whose base URL refers to the given GCP engine.
The GCP Engine requires this client to make API calls to the correct engine.
delete(server_name, engine_name, secret_type, roleset_name) View Source
Rotate a roleset account.
The Vault Google Secret Engine API offers multiple endpoints for rotating roleset accounts to invalidate previously generated secrets.
There are two methods:
Rotate Roleset Account Key
- This method is only for
access_token
secrets and is triggered by calling this function with:access_token
- This method will change the KeyID that the roleset account uses to generate secrets
- Based on testing, this method does not invalidate previously generated tokens but we're supporting it anyway
Rotate Roleset Account
- This method is works for both
gcp_secret_type
s and is triggered by calling this function with:service_account_key
- This method will replace the KeyID AND the email that the roleset account uses to generate secrets
- Based on testing, this method immediately invalidates previously generated secrets
Example
iex(5)> Ptolemy.Engines.GCP.delete(server, :gcp_engine, :service_account_key, "new_roleset")
{:ok, "Rotated"}
delete!(server_name, engine_name, secret_type, roleset_name)
View Source
delete!(atom(), atom(), gcp_secret_type(), String.t()) :: :ok | no_return()
delete!(atom(), atom(), gcp_secret_type(), String.t()) :: :ok | no_return()
Rotates a roleset account, erroring out if an error occurs.
See the documentation for delete/4
for more information on the exact behaviour
of rotating rolesets.
generate_roleset(secret_type, project, bindings, scopes \\ [])
View Source
generate_roleset(gcp_secret_type(), String.t(), String.t(), [String.t()]) ::
roleset()
generate_roleset(gcp_secret_type(), String.t(), String.t(), [String.t()]) :: roleset()
Generates type roleset
from inputs.
read(server_name, engine_name, secret_type, roleset_name) View Source
Generates an access token
/service account key
from the given roleset.
Example
iex(2)> Ptolemy.Engines.GCP.read(server, :gcp_engine, :service_account_key, "roleset_name")
{:ok, %{
"key_algorithm" => "KEY_ALG_RSA_2048"
"key_type" => "TYPE_GOOGLE_CREDENTIALS_FILE",
"private_key_data" => "shhh....."
}}
iex(3)> Ptolemy.Engines.GCP.read(server, :gcp_engine, :access_token, "access_roleset")
{:ok, %{
"expires_at_seconds" => 1553274174,
"token" => "shhh.....",
"token_ttl" => 3599
}}
read!(server_name, engine_name, secret_type, roleset_name) View Source
Generates an access token
/service account key
from the given roleset, erroring out if an error occurs.
read_roleset!(server_name, engine_name, roleset_name) View Source
Retreives the current configuration for a given roleset, erroring out if an error occurs.
The response can be used for changing the bindings or scopes to then update the roleset.
update(server_name, engine_name, roleset_name, roleset_payload) View Source
Updates a roleset by simply calling create
with the new payload.
This changes the account email.
Note that once a roleset is created, only the attributes bindings
and token_scopes
can be changed.
If you are unsure of a roleset's configuration, it is recommended that you use the
function read_roleset!/3
, update the resulting map, and then call update
with the
new map to ensure that you are modifying only the editable attributes.
Example
iex(4)> Ptolemy.Engines.GCP.update(server, :gcp_engine, "roleset_name", %{
bindings: "resource "//cloudresourcemanager.googleapis.com/projects/project-name" {roles = ["roles/editor"]}",
project: "project-name",
secret_type: "service_account_key"
})
{:ok, "Roleset implemented"}
update!(server_name, engine_name, roleset_name, roleset_payload) View Source
Updates a roleset account given a new payload, erroring out if an error occurs.