aws secret plugin MIA

[jmls]

In the process of migrating from Vault to OpenBao - got to the point where I've compiled and built, but then our app crashes because bao gives the error

"plugin not found in the catalog: aws"

After reading the docs, it seems that this plugin is not in the "built in" list and I have to get from the hashicorp repo . However, the aws secrets plugin is not there either ..

has this secret engine fallen down between the cracks , or are we aware of it ?

[cipherboy]

\o hey @jmls -- this was the second item on my agenda for this week's Dev WG call. It has lagged a fair bit, but AWS and GCP (and perhaps Azure as well) were high on my list to fork off into separate repos and begin soliciting contributions for. HashiCorp uses a repo structure like http://github.com/hashicorp/vault-plugin-secrets-gcp, (replacing secrets with auth as the case may be).

One of the points to revisit with the Dev WG is how much do we want to fork and take on the work for this versus continue to rely on the fact they're under the MPL?

[jmls]

from my dev manager pov, surely it would be better to keep using the plugins that are under MPL currently and focus on the other ones where we have issues with the licence , or want to change for "BaoReasons" ?

Or am I grasping the wrong end of the nettle ?

[jmls]

I'm all for the quickest way of getting the plugins back - cannot deploy without them and I really want to move away from vault asap ;)

[cipherboy]

@jmls My suggestion would be to rebuild the plugins from upstream for the time being. I think @DrDaveD previously has tested this with other plugins and found it to be working.

[jmls]

Sorry for being such a noob - but would the steps be to fork vault, checkout v1.14 (ish) , then build the project ? The plugins seem to be in "builtin/logical/aws"

Then copy the plugin to openbao and register ?

go build -o vault-plugin-secrets-aws ./builtin/logical/aws

may be my friend ;)

[cipherboy]

Ahh, I had forgotten AWS was builtin. Hmm that probably changes the calculus slightly.

For GCP you'd just clone https://github.com/hashicorp/vault-plugin-secrets-gcp and build that directly.

But yes, if you want to build AWS you probably should check out before-plugin-removal as the tag and then run:

cd builtin/logical/aws && go build ./.../cmd/aws 

perhaps.

(note you want the command, which executes the plugin, not the plugin itself).

[jmls]

thanks!

[jmls]

I'm just glad that I'm not going mad and missing the obvious :)

[jmls]

FWIW this little script when run in the root folder of openbao will extract the before_plugin_removal source into the tmp folder and build all plugins found in the builtin/logical folder, generate the sha and then copy them to the tmp/plugins folder

from there you can do what you want with them ;)

Hopefully someone will find it useful

#!/usr/bin/env bash

rm -rf tmp/plugins
rm -rf tmp/build_plugins 

mkdir -p tmp/plugins
mkdir -p tmp/build_plugins 

git archive tags/before-plugin-removal | tar -x -C tmp/build_plugins

current=`pwd`

build() {
    PLUGIN=$1
    echo $1 $PLUGIN
    cd tmp/build_plugins/builtin/logical/${PLUGIN}

    go build ./cmd/${PLUGIN}

    cd ${current}

    cp tmp/build_plugins/builtin/logical/${PLUGIN}/${PLUGIN} ${current}/tmp/plugins

    sha256sum tmp/plugins/${PLUGIN} > tmp/plugins/${PLUGIN}.sha256
}

for folder in tmp/build_plugins/builtin/logical/*/; do
    folder_name=$(basename "${folder}")

    if [[ -d "${folder}" && "${folder_name}" != "database" && "${folder_name}" != "pkiext" ]]; then
        build "${folder_name}"
    fi
done