Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
    Ryan Lane
    @ryan-lane
    @mtanatwine that's from the pod trying to fetch from the server, right? not the server?
    on the server side we're not setting getUser from what I can see
    let me look at the client code. it's possible it uses GetUser in some cases
    (but it isn't required)
    ah, yeah, if the auth context is set to user and the "from" context isn't set, it'll use GetUser to try to auto-set the from context
    if you explicitly set the from context, that won't happen
    Matt
    @mtanatwine
    I've got that set in the /etc/confidant/config thusly:
      auth_context:
        from: sb0001-dev
        to: k8s-confidant
        user_type: service
    and yeah, it's from the pod trying to fetch from the confidant server
    Matt
    @mtanatwine
    ok, nevermind.. I had a leftover ~/.confidant that I'm fairly sure I checked for earlier but apparently not :facepalm:
    Ryan Lane
    @ryan-lane
    ah. heh. no worries!
    Matt
    @mtanatwine
    This might be a dumb question, but I couldn't find any reference in the docs or from the command line help output... is there no way of adding regular credentials and services via the client or programmatically? I've found some routes in the code, but it appears to only be supported when using the web interface. I only ask as we have a lot of credentials to add across all our environments and it would be a hell of a lot quicker to write some code to mass import this stuff.
    Ryan Lane
    @ryan-lane
    hm, yeah, it looks like the CLI doesn't directly support it. we have code for creating/updating blind credentials, but not credentials
    the APIs for the CLI and web work the same way, though
    (I'm not really able to add CLI support right now, but it should be straightforward if you were to add support, and we'd love to have the help)
    Matt
    @mtanatwine
    I'm guessing then to authenticate using the cli, you'd need to use kms user authentication, and the only way that confidant verifies that you're authorised to do it is by deferring to IAM, i.e. whether the user is allowed to encrypt with the user key
    Ryan Lane
    @ryan-lane
    yep, exactly
    you can restrict to individual users with IAM for this
    or to groups
    confidant ships with a default ACL setup, but also has ways to customize it with code
    Matt
    @mtanatwine
    yeah, that was a stretch goal of ours but not a requirement to get it implemented
    Ryan Lane
    @ryan-lane
    note that you want the "user" kmsauth type for this. the default ACL limits the "service" kmsauth type to get_service
    Ryan Lane
    @ryan-lane
    yep!
    Matt
    @mtanatwine
    just a heads up, it says here (https://lyft.github.io/confidant/api.html#post--v1-credentials) that enabled defaults to true, but it wouldn't let me post unless I set it in my post body.
        raise ValueError("Attribute '{0}' cannot be None".format(attr.attr_name))
    ValueError: Attribute 'enabled' cannot be None
    Matt
    @mtanatwine
    I'd submit a PR to contribute / fix but my main prio is getting this system implemented here first 😁... maybe afterwards I can look into it
    Ryan Lane
    @ryan-lane
    @mtanatwine if you find things like that, please open some bugs. I have time to fix that kind of stuff for sure :)
    (I hate bad docs)
    Matt
    @mtanatwine
    I'm fairly sure you'll regret asking me to do that. I've seen quite a few bits that could do with some love :joy:
    Ryan Lane
    @ryan-lane
    hahaha, nah, I like writing docs and it's good to have a fresh set of eyes point out issues
    David
    @jdavid82
    Hi everyone, I'm a .Net developer and I've been asked to research into lyft/confidant. Do you guys have a youtube channel or a page that explains what the purpose of this project is? Thank you. I already saw this page: https://lyft.github.io/confidant/install.html and this page https://lyft.github.io/confidant/ but I don't know what I would say if I were to try to convince someone to use it. Any pointers would be appreciated, thanks