Hi,
We decided to use secretless broker to add secret management for our jupyter NB in our ML platform. What we want is to use secretless broker for our boto access to s3 buckets.
I am completely new to Conjur and secretless broker. Do secretless broker+Conjur OSS work in jypyterhub servers? As I know jupyterhub use HTTP_PROXY as well, will secretless broker and jupyterhub conflict each other?
Also, do you have any pass experience, doc, or tutorital for jupyterhub integration? Our ML platform runs in OCP which itself runs in AWS.
Thanks in advance.
Failed to create new s3 bucket with secretless broker:
I am trying secretless at my local to access aws s3 buckets, I can list the buckets fine, but I can’t create new bucket. is this a bug or something I did wrong?
I tried aws cli w/o secretless in between to create bucket, and it works fine.
➜ aws alias | grep aws
aws='AWS_ACCESS_KEY_ID=nothing AWS_SECRET_ACCESS_KEY=nothing AWS_DEFAULT_REGION=us-east-1 aws --endpoint-url http://secretless.empty'
➜ aws HTTP_PROXY=http://localhost:8080 aws s3 ls
2021-10-17 17:57:39 book2021
2017-02-19 11:47:24 iampolobucket
2021-10-16 14:55:19 testbug-os
➜ aws HTTP_PROXY=http://localhost:8080 aws s3 mb s3://bookttttt
make_bucket failed: s3://bookttttt An error occurred (SignatureDoesNotMatch) when calling the CreateBucket operation: The request signature we calculated does not match the signature you provided. Check your key and signing method.
------
❯ go run cmd/secretless-broker/main.go -f ./secretless.yml -debug
2021/10/17 18:07:04 Secretless v1.7.6-dev starting up...
2021/10/17 18:07:04 Initializing health check on :5335...
2021/10/17 18:07:04 Initialization of health check done. You can access the endpoint at `/live` and `/ready`.
2021/10/17 18:07:04 [WARN] Plugin directory '/usr/local/lib/secretless' not found. Ignoring external plugins...
2021/10/17 18:07:04 Trying to load configuration file: ./secretless.yml
2021/10/17 18:07:04 [DEBUG] Waiting for new configuration...
2021/10/17 18:07:04 [INFO] Configuration found. Loading...
2021/10/17 18:07:04 [INFO] Validating config against available plugins: ssh,ssh-agent,pg,mysql,mssql,aws,basic_auth,conjur,generic_http
2021/10/17 18:07:04 [INFO] Starting HTTP listener on 0.0.0.0:8080...
2021/10/17 18:07:04 Registering reload signal listeners...
2021/10/17 18:07:04 [INFO] Starting HTTP subservice aws...
2021/10/17 18:07:05 [INFO] HTTP Proxy on tcp://0.0.0.0:8080: Starting service
2021/10/17 18:07:05 [DEBUG] Waiting for new configuration...
2021/10/17 18:07:16 [DEBUG] HTTP Proxy on tcp://0.0.0.0:8080: Got request / secretless.empty GET secretless.empty
2021/10/17 18:07:16 [DEBUG] HTTP Proxy on tcp://0.0.0.0:8080: Using connector 'aws' for request secretless.empty
2021/10/17 18:07:16 Instantiating provider 'literal'
2021/10/17 18:07:16 [DEBUG] http-aws: Signing for service=s3 region=us-east-1
2021/10/17 18:07:16 [DEBUG] HTTP Proxy on tcp://0.0.0.0:8080: Received response status: 200 OK
2021/10/17 18:07:28 [DEBUG] HTTP Proxy on tcp://0.0.0.0:8080: Got request /bookttttt secretless.empty PUT secretless.empty
2021/10/17 18:07:28 [DEBUG] HTTP Proxy on tcp://0.0.0.0:8080: Using connector 'aws' for request secretless.empty
2021/10/17 18:07:28 [DEBUG] http-aws: Signing for service=s3 region=us-east-1
2021/10/17 18:07:28 [DEBUG] HTTP Proxy on tcp://0.0.0.0:8080: Received response status: 403 Forbidden
---------------------
version: 2
services:
http-aws:
connector: aws
listenOn: tcp://0.0.0.0:8080
credentials:
accessKeyId: xxx
secretAccessKey: xxxx
config:
authenticateURLsMatching:
- ".*"
Thanks for posting this. I saw a similar issue posted on Github.
My response to the issue on Github should be useful here too:
I was able to reproduce this bug. It looks like we were not limiting the headers used for request-signing in Secretless to those used to sign the original request. I have a pull request up to fix this, over at #1432. I’ve tested it locally and confirmed that the fix works.
Once it is reviewed by the team and merged it should make its way into the next release. Please do create a build from the branch and evaluate it, it would help to get sign off from your side that the changes fix the issue.