feat(secretstores.vault): Add new authentication methods

docs/LICENSE_OF_DEPENDENCIES.md

@@ -71,6 +71,7 @@ following works:
 - github.com/awnumar/memcall [Apache License 2.0](https://github.com/awnumar/memcall/blob/master/LICENSE)
 - github.com/awnumar/memguard [Apache License 2.0](https://github.com/awnumar/memguard/blob/master/LICENSE)
 - github.com/aws/aws-msk-iam-sasl-signer-go [Apache License 2.0](https://github.com/aws/aws-msk-iam-sasl-signer-go/blob/main/LICENSE)
+- github.com/aws/aws-sdk-go [Apache License 2.0](https://github.com/aws/aws-sdk-go/blob/main/LICENSE.txt)
 - github.com/aws/aws-sdk-go-v2 [Apache License 2.0](https://github.com/aws/aws-sdk-go-v2/blob/main/LICENSE.txt)
 - github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream [Apache License 2.0](https://github.com/aws/aws-sdk-go-v2/blob/main/aws/protocol/eventstream/LICENSE.txt)
 - github.com/aws/aws-sdk-go-v2/config [Apache License 2.0](https://github.com/aws/aws-sdk-go-v2/blob/main/config/LICENSE.txt)
@@ -231,6 +232,7 @@ following works:
 - github.com/hashicorp/go-multierror [Mozilla Public License 2.0](https://github.com/hashicorp/go-multierror/blob/master/LICENSE)
 - github.com/hashicorp/go-retryablehttp [Mozilla Public License 2.0](https://github.com/hashicorp/go-retryablehttp/blob/main/LICENSE)
 - github.com/hashicorp/go-rootcerts [Mozilla Public License 2.0](https://github.com/hashicorp/go-rootcerts/blob/master/LICENSE)
+- github.com/hashicorp/go-secure-stdlib/awsutil [Mozilla Public License 2.0](https://github.com/hashicorp/go-secure-stdlib/blob/main/awsutil/LICENSE)
 - github.com/hashicorp/go-secure-stdlib/parseutil [Mozilla Public License 2.0](https://github.com/hashicorp/go-secure-stdlib/blob/main/parseutil/LICENSE)
 - github.com/hashicorp/go-secure-stdlib/strutil [Mozilla Public License 2.0](https://github.com/hashicorp/go-secure-stdlib/blob/main/strutil/LICENSE)
 - github.com/hashicorp/go-sockaddr [Mozilla Public License 2.0](https://github.com/hashicorp/go-sockaddr/blob/master/LICENSE)
@@ -242,6 +244,10 @@ following works:
 - github.com/hashicorp/serf [Mozilla Public License 2.0](https://github.com/hashicorp/serf/blob/master/LICENSE)
 - github.com/hashicorp/vault/api [Mozilla Public License 2.0](https://github.com/hashicorp/vault/blob/main/api/LICENSE)
 - github.com/hashicorp/vault/api/auth/approle [Mozilla Public License 2.0](https://github.com/hashicorp/vault/blob/main/api/auth/approle/LICENSE)
+- github.com/hashicorp/vault/api/auth/aws [Mozilla Public License 2.0](https://github.com/hashicorp/vault/blob/main/api/auth/aws/LICENSE)
+- github.com/hashicorp/vault/api/auth/azure [Mozilla Public License 2.0](https://github.com/hashicorp/vault/blob/main/api/auth/azure/LICENSE)
+- github.com/hashicorp/vault/api/auth/kubernetes [Mozilla Public License 2.0](https://github.com/hashicorp/vault/blob/main/api/auth/kubernetes/LICENSE)
+- github.com/hashicorp/vault/api/auth/userpass [Mozilla Public License 2.0](https://github.com/hashicorp/vault/blob/main/api/auth/userpass/LICENSE)
 - github.com/huandu/xstrings [MIT License](https://github.com/huandu/xstrings/blob/master/LICENSE)
 - github.com/icholy/digest [MIT License](https://github.com/icholy/digest/blob/master/LICENSE)
 - github.com/imdario/mergo [BSD 3-Clause "New" or "Revised" License](https://github.com/imdario/mergo/blob/master/LICENSE)

go.mod

@@ -124,6 +124,10 @@ require (
 	github.com/hashicorp/golang-lru/v2 v2.0.7
 	github.com/hashicorp/vault/api v1.22.0
 	github.com/hashicorp/vault/api/auth/approle v0.11.0
+	github.com/hashicorp/vault/api/auth/aws v0.11.0
+	github.com/hashicorp/vault/api/auth/azure v0.10.0
+	github.com/hashicorp/vault/api/auth/kubernetes v0.10.0
+	github.com/hashicorp/vault/api/auth/userpass v0.11.0
 	github.com/influxdata/influxdb-observability/common v0.5.12
 	github.com/influxdata/influxdb-observability/influx2otel v0.5.12
 	github.com/influxdata/influxdb-observability/otel2influx v0.5.12
@@ -308,6 +312,7 @@ require (
 	github.com/aristanetworks/glog v0.0.0-20191112221043-67e8567f59f3 // indirect
 	github.com/armon/go-metrics v0.4.1 // indirect
 	github.com/awnumar/memcall v0.4.0 // indirect
+	github.com/aws/aws-sdk-go v1.55.7 // indirect
 	github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.7.5 // indirect
 	github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.17.43 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.18 // indirect
@@ -415,6 +420,7 @@ require (
 	github.com/hashicorp/go-multierror v1.1.1 // indirect
 	github.com/hashicorp/go-retryablehttp v0.7.8 // indirect
 	github.com/hashicorp/go-rootcerts v1.0.2 // indirect
+	github.com/hashicorp/go-secure-stdlib/awsutil v0.3.0 // indirect
 	github.com/hashicorp/go-secure-stdlib/parseutil v0.2.0 // indirect
 	github.com/hashicorp/go-secure-stdlib/strutil v0.1.2 // indirect
 	github.com/hashicorp/go-sockaddr v1.0.7 // indirect

go.sum

@@ -892,7 +892,10 @@ github.com/aws/aws-msk-iam-sasl-signer-go v1.0.4 h1:2jAwFwA0Xgcx94dUId+K24yFabsK
 github.com/aws/aws-msk-iam-sasl-signer-go v1.0.4/go.mod h1:MVYeeOhILFFemC/XlYTClvBjYZrg/EPd3ts885KrNTI=
 github.com/aws/aws-sdk-go v1.20.6/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo=
 github.com/aws/aws-sdk-go v1.29.11/go.mod h1:1KvfttTE3SPKMpo8g2c6jL3ZKfXtFvKscTgahTma5Xg=
+github.com/aws/aws-sdk-go v1.34.0/go.mod h1:5zCpMtNQVjRREroY7sYe8lOMRSxkhG6MZveU8YkpAk0=
 github.com/aws/aws-sdk-go v1.44.263/go.mod h1:aVsgQcEevwlmQ7qHE9I3h+dtQgpqhFB+i8Phjh7fkwI=
+github.com/aws/aws-sdk-go v1.55.7 h1:UJrkFq7es5CShfBwlWAC8DA077vp8PyVbQd3lqLiztE=
+github.com/aws/aws-sdk-go v1.55.7/go.mod h1:eRwEWoyTWFMVYVQzKMNHWP5/RV4xIUGMQfXQHfHkpNU=
 github.com/aws/aws-sdk-go-v2 v1.18.0/go.mod h1:uzbQtefpm44goOPmdKyAlXSNcwlRgF3ePWVW6EtJvvw=
 github.com/aws/aws-sdk-go-v2 v1.41.2 h1:LuT2rzqNQsauaGkPK/7813XxcZ3o3yePY0Iy891T2ls=
 github.com/aws/aws-sdk-go-v2 v1.41.2/go.mod h1:IvvlAZQXvTXznUPfRVfryiG1fbzE2NGK6m9u39YQ+S4=
@@ -1579,6 +1582,7 @@ github.com/hashicorp/go-cleanhttp v0.5.0/go.mod h1:JpRdi6/HCYpAwUzNwuwqhbovhLtng
 github.com/hashicorp/go-cleanhttp v0.5.1/go.mod h1:JpRdi6/HCYpAwUzNwuwqhbovhLtngrth3wmdIIUrZ80=
 github.com/hashicorp/go-cleanhttp v0.5.2 h1:035FKYIWjmULyFRBKPs8TBQoi0x6d9G4xc9neXJWAZQ=
 github.com/hashicorp/go-cleanhttp v0.5.2/go.mod h1:kO/YDlP8L1346E6Sodw+PrpBSV4/SoxCXGY6BqNFT48=
+github.com/hashicorp/go-hclog v1.5.0/go.mod h1:W4Qnvbt70Wk/zYJryRzDRU/4r0kIg0PVHBcfoyhpF5M=
 github.com/hashicorp/go-hclog v1.6.3 h1:Qr2kF+eVWjTiYmU7Y31tYlP1h0q/X3Nl3tPGdaB11/k=
 github.com/hashicorp/go-hclog v1.6.3/go.mod h1:W4Qnvbt70Wk/zYJryRzDRU/4r0kIg0PVHBcfoyhpF5M=
 github.com/hashicorp/go-immutable-radix v1.0.0/go.mod h1:0y9vanUI8NX6FsYoO3zeMjhV/C5i9g4Q3DwcSNZ4P60=
@@ -1597,6 +1601,8 @@ github.com/hashicorp/go-retryablehttp v0.7.8/go.mod h1:rjiScheydd+CxvumBsIrFKlx3
 github.com/hashicorp/go-rootcerts v1.0.0/go.mod h1:K6zTfqpRlCUIjkwsN4Z+hiSfzSTQa6eBIzfwKfwNnHU=
 github.com/hashicorp/go-rootcerts v1.0.2 h1:jzhAVGtqPKbwpyCPELlgNWhE1znq+qwJtW5Oi2viEzc=
 github.com/hashicorp/go-rootcerts v1.0.2/go.mod h1:pqUvnprVnM5bf7AOirdbb01K4ccR319Vf4pU3K5EGc8=
+github.com/hashicorp/go-secure-stdlib/awsutil v0.3.0 h1:I8bynUKMh9I7JdwtW9voJ0xmHvBpxQtLjrMFDYmhOxY=
+github.com/hashicorp/go-secure-stdlib/awsutil v0.3.0/go.mod h1:oKHSQs4ivIfZ3fbXGQOop1XuDfdSb8RIsWTGaAanSfg=
 github.com/hashicorp/go-secure-stdlib/parseutil v0.2.0 h1:U+kC2dOhMFQctRfhK0gRctKAPTloZdMU5ZJxaesJ/VM=
 github.com/hashicorp/go-secure-stdlib/parseutil v0.2.0/go.mod h1:Ll013mhdmsVDuoIXVfBtvgGJsXDYkTw1kooNcoCXuE0=
 github.com/hashicorp/go-secure-stdlib/strutil v0.1.2 h1:kes8mmyCpxJsI7FTwtzRqEy9CdjCtrXrXGuOpxEA7Ts=
@@ -1639,6 +1645,14 @@ github.com/hashicorp/vault/api v1.22.0 h1:+HYFquE35/B74fHoIeXlZIP2YADVboaPjaSicH
 github.com/hashicorp/vault/api v1.22.0/go.mod h1:IUZA2cDvr4Ok3+NtK2Oq/r+lJeXkeCrHRmqdyWfpmGM=
 github.com/hashicorp/vault/api/auth/approle v0.11.0 h1:ViUvgqoSTqHkMi1L1Rr/LnQ+PWiRaGUBGvx4UPfmKOw=
 github.com/hashicorp/vault/api/auth/approle v0.11.0/go.mod h1:v8ZqBRw+GP264ikIw2sEBKF0VT72MEhLWnZqWt3xEG8=
+github.com/hashicorp/vault/api/auth/aws v0.11.0 h1:lWdUxrzvPotg6idNr62al4w97BgI9xTDdzMCTViNH2s=
+github.com/hashicorp/vault/api/auth/aws v0.11.0/go.mod h1:PWqdH/xqaudapmnnGP9ip2xbxT/kRW2qEgpqiQff6Gc=
+github.com/hashicorp/vault/api/auth/azure v0.10.0 h1:soTc1xmzmszDN3+xtKn1MpaWE1/mRPVC418J9Z1uP5I=
+github.com/hashicorp/vault/api/auth/azure v0.10.0/go.mod h1:5u/66YseDanWOycDJhEu6frHmsMw4UFnHK0I7w3AVx8=
+github.com/hashicorp/vault/api/auth/kubernetes v0.10.0 h1:5rqWmUFxnu3S7XYq9dafURwBgabYDFzo2Wv+AMopPHs=
+github.com/hashicorp/vault/api/auth/kubernetes v0.10.0/go.mod h1:cZZmhF6xboMDmDbMY52oj2DKW6gS0cQ9g0pJ5XIXQ5U=
+github.com/hashicorp/vault/api/auth/userpass v0.11.0 h1:iPw1PL6vzQTn2w14quKd0ZnJV+cfPe+p5CA22M45jsA=
+github.com/hashicorp/vault/api/auth/userpass v0.11.0/go.mod h1:FZ/baZ5rhruevb6kED9eh9KhorGtwM+xxVBvtXSxZsY=
 github.com/henrybear327/Proton-API-Bridge v1.0.0 h1:gjKAaWfKu++77WsZTHg6FUyPC5W0LTKWQciUm8PMZb0=
 github.com/henrybear327/Proton-API-Bridge v1.0.0/go.mod h1:gunH16hf6U74W2b9CGDaWRadiLICsoJ6KRkSt53zLts=
 github.com/henrybear327/go-proton-api v1.0.0 h1:zYi/IbjLwFAW7ltCeqXneUGJey0TN//Xo851a/BgLXw=
@@ -1752,6 +1766,7 @@ github.com/jessevdk/go-flags v1.4.0/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJS
 github.com/jlaffaye/ftp v0.2.1-0.20240918233326-1b970516f5d3 h1:ZxO6Qr2GOXPdcW80Mcn3nemvilMPvpWqxrNfK2ZnNNs=
 github.com/jlaffaye/ftp v0.2.1-0.20240918233326-1b970516f5d3/go.mod h1:dvLUr/8Fs9a2OBrEnCC5duphbkz/k/mSy5OkXg3PAgI=
 github.com/jmespath/go-jmespath v0.0.0-20180206201540-c2b33e8439af/go.mod h1:Nht3zPeWKUH0NzdCt2Blrr5ys8VGpn0CEB0cQHVjt7k=
+github.com/jmespath/go-jmespath v0.3.0/go.mod h1:9QtRXoHjLGCJ5IBSaohpXITPlowMeeYCZ7fLUTSywik=
 github.com/jmespath/go-jmespath v0.4.0 h1:BEgLn5cpjn8UN1mAw4NjwDrS35OdebyEtFe+9YPoQUg=
 github.com/jmespath/go-jmespath v0.4.0/go.mod h1:T8mJZnbsbmF+m6zOOFylbeCJqk5+pHWvzYPziyZiYoo=
 github.com/jmespath/go-jmespath/internal/testify v1.5.1 h1:shLQSRRSCCPj3f2gpwzGwWFoC7ycTf1rcQZHOlsJ6N8=

plugins/secretstores/vault/README.md

@@ -2,7 +2,7 @@
 
 The `vault` plugin allows to utilize secrets stored in a
 [HashiCorp Vault][vault] server via the Vault API. It supports authentication
-via AppRole.
+via AppRole, Userpass, AWS IAM, AWS EC2, Azure and Kubernetes.
 
 ⭐ Telegraf v1.37.0
 🏷️ secrets
@@ -49,15 +49,67 @@ store usage.
   ## By default will use the kv-v2 engine.
   # engine = "kv-v2"
 
-  [secretstores.vault.approle]
-    ## The Role ID for AppRole Authentication, a UUID string
-    role_id = ""
+  # [secretstores.vault.approle]
+  #   ## The Role ID for AppRole Authentication, a UUID string
+  #   role_id = ""
+  #
+  #   ## Whether the Secret ID is configured to be response wrapped or not
+  #   # response_wrapped = false
+  #
+  #   ## The Secret ID for AppRole Authentication
+  #   secret = ""
 
-    ## Whether the Secret ID is configured to be response wrapped or not
-    # response_wrapped = false
+  # [secretstores.vault.aws_ec2]
+  #   ## The Role Name for AWS EC2 authentication
+  #   role_name = ""
+  #
+  #   ## The AWS region, defaulting to "us-east-1" if unset
+  #   # region = "us-east-1"
+  #
+  #   ## The signature type to use, defaulting to "pkcs7"
+  #   ## Allowed options: "pkcs7", "identity", "rsa2048"
+  #   # signature_type = "pkcs7"
+
+  # ## Credentials will be set using the values in the environment variables:
+  # ## - AWS_ACCESS_KEY_ID
+  # ## - AWS_SECRET_ACCESS_KEY
+  # ## - AWS_SESSION_TOKEN
+  # ## To specify a path to a credentials file instead, set:
+  # ## - AWS_SHARED_CREDENTIALS_FILE
+  # [secretstores.vault.aws_iam]
+  #   ## The Role Name for AWS IAM authentication
+  #   role_name = ""
+  #
+  #   ## The AWS region, defaulting to "us-east-1" if unset
+  #   # region = "us-east-1"
+  #
+  #   ## An optional server ID header to provide, with the key
+  #   ## "X-Vault-AWS-IAM-Server-ID"
+  #   # server_id_header = ""
+
+  # [secretstores.vault.azure]
+  #   ## The Role Name for Azure authentication
+  #   role_name = ""
+  #
+  #   ## The Azure Resource URL to use as the aud value on the JWT token to
+  #   ## use rather than the default of Azure Public Cloud's ARM URL.
+  #   ## Defaults to "https://management.azure.com/"
+  #   # resource_url = "https://management.azure.com/"
+
+  # [secretstores.vault.kubernetes]
+  #   ## The Kubernetes service account role name
+  #   role_name = ""
+  #
+  #   ## The Kubernetes service account token
+  #   service_account_token = ""
+
+  # [secretstores.vault.userpass]
+  #   ## The Vault Userpass username
+  #   username = ""
+  #
+  #   ## The Vault Userpass password
+  #   password = ""
 
-    ## The Secret ID for AppRole Authentication
-    secret = ""
 ```
 
 [vault]: https://www.hashicorp.com/en/products/vault

plugins/secretstores/vault/auth/approle.go

@@ -0,0 +1,59 @@
+package auth
+
+import (
+	"context"
+	"errors"
+	"fmt"
+
+	vault "github.com/hashicorp/vault/api"
+	"github.com/hashicorp/vault/api/auth/approle"
+
+	"github.com/influxdata/telegraf/config"
+)
+
+type AppRole struct {
+	RoleID          string        `toml:"role_id"`
+	ResponseWrapped bool          `toml:"response_wrapped"`
+	Secret          config.Secret `toml:"secret"`
+}
+
+// Init validates the auth method options and sets any necessary defaults
+func (a *AppRole) Init() error {
+	if a.RoleID == "" {
+		return errors.New("approle role_id missing")
+	}
+	if a.Secret.Empty() {
+		return errors.New("approle secret missing")
+	}
+	return nil
+}
+
+// Authenticate uses the provided configuration to authenticate to Vault
+func (a *AppRole) Authenticate(v *vault.Client) (*vault.Secret, error) {
+	secret, err := a.Secret.Get()
+	if err != nil {
+		return nil, fmt.Errorf("getting secret failed: %w", err)
+	}
+	secretID := &approle.SecretID{FromString: secret.String()}
+	defer secret.Destroy()
+
+	var opts []approle.LoginOption
+	if a.ResponseWrapped {
+		opts = append(opts, approle.WithWrappingToken())
+	}
+
+	appRoleAuth, err := approle.NewAppRoleAuth(a.RoleID, secretID, opts...)
+	if err != nil {
+		return nil, fmt.Errorf("unable to initialize AppRole auth method: %w", err)
+	}
+
+	authInfo, err := v.Auth().Login(context.Background(), appRoleAuth)
+	if err != nil {
+		return nil, fmt.Errorf("unable to login to AppRole auth method: %w", err)
+	}
+	if authInfo == nil {
+		return nil, errors.New("no auth info was returned after login")
+	}
+
+	return authInfo, nil
+}

plugins/secretstores/vault/auth/auth.go

@@ -0,0 +1,11 @@
+package auth
+
+import vault "github.com/hashicorp/vault/api"
+
+type VaultAuth interface {
+	// Init validates the auth method options and sets any necessary defaults
+	Init() error
+
+	// Authenticate uses the provided configuration to authenticate to Vault
+	Authenticate(*vault.Client) (*vault.Secret, error)
+}

plugins/secretstores/vault/auth/aws.go

@@ -0,0 +1,116 @@
+package auth
+
+import (
+	"context"
+	"errors"
+	"fmt"
+
+	vault "github.com/hashicorp/vault/api"
+	"github.com/hashicorp/vault/api/auth/aws"
+)
+
+type AwsIAM struct {
+	RoleName       string `toml:"role_name"`
+	Region         string `toml:"region"`
+	ServerIDHeader string `toml:"server_id_header"`
+}
+
+// Init validates the auth method options and sets any necessary defaults
+func (a *AwsIAM) Init() error {
+	if a.RoleName == "" {
+		return errors.New("aws iam role_name missing")
+	}
+
+	if a.Region == "" {
+		a.Region = "us-east-1"
+	}
+
+	return nil
+}
+
+// Authenticate uses the provided configuration to authenticate to Vault
+func (a *AwsIAM) Authenticate(v *vault.Client) (*vault.Secret, error) {
+	opts := []aws.LoginOption{
+		aws.WithIAMAuth(),
+		aws.WithRole(a.RoleName),
+		aws.WithRegion(a.Region),
+	}
+	if a.ServerIDHeader != "" {
+		opts = append(opts, aws.WithIAMServerIDHeader(a.ServerIDHeader))
+	}
+
+	awsAuth, err := aws.NewAWSAuth(opts...)
+	if err != nil {
+		return nil, fmt.Errorf("unable to initialize AWS IAM auth method: %w", err)
+	}
+
+	authInfo, err := v.Auth().Login(context.Background(), awsAuth)
+	if err != nil {
+		return nil, fmt.Errorf("unable to login to AWS IAM auth method: %w", err)
+	}
+	if authInfo == nil {
+		return nil, errors.New("no auth info was returned after login")
+	}
+
+	return authInfo, nil
+}
+
+type AwsEC2 struct {
+	RoleName      string `toml:"role_name"`
+	Region        string `toml:"region"`
+	SignatureType string `toml:"signature_type"`
+}
+
+// Init validates the auth method options and sets any necessary defaults
+func (a *AwsEC2) Init() error {
+	if a.RoleName == "" {
+		return errors.New("aws ec2 role_name missing")
+	}
+
+	switch a.SignatureType {
+	case "":
+		a.SignatureType = "pkcs7"
+	case "pkcs7", "identity", "rsa2048":
+	default:
+		return fmt.Errorf("unknown signature type: %q", a.SignatureType)
+	}
+
+	if a.Region == "" {
+		a.Region = "us-east-1"
+	}
+
+	return nil
+}
+
+// Authenticate uses the provided configuration to authenticate to Vault
+func (a *AwsEC2) Authenticate(v *vault.Client) (*vault.Secret, error) {
+	opts := []aws.LoginOption{
+		aws.WithEC2Auth(),
+		aws.WithRole(a.RoleName),
+		aws.WithRegion(a.Region),
+	}
+
+	switch a.SignatureType {
+	case "pkcs7":
+		opts = append(opts, aws.WithPKCS7Signature())
+	case "identity":
+		opts = append(opts, aws.WithIdentitySignature())
+	case "rsa2048":
+		opts = append(opts, aws.WithRSA2048Signature())
+	}
+
+	awsAuth, err := aws.NewAWSAuth(opts...)
+	if err != nil {
+		return nil, fmt.Errorf("unable to initialize AWS EC2 auth method: %w", err)
+	}
+
+	authInfo, err := v.Auth().Login(context.Background(), awsAuth)
+	if err != nil {
+		return nil, fmt.Errorf("unable to login to AWS EC2 auth method: %w", err)
+	}
+	if authInfo == nil {
+		return nil, errors.New("no auth info was returned after login")
+	}
+
+	return authInfo, nil
+}