Paramaterstore

[jmahowald]

AWS Parameter Store (SSM) has native support for "SecureString" types. This ends up being easier to integrate in to get the actual root token if another process needs it for vault provisioning. I debated changing just the actual logic of the KMS store, but figured it's less impactful downstream if I just created a new mode.

[simonswine]

Thanks for your PR @jmahowald. Sorry that it took a while. I am having this issue when I am trying to run the CI tests: (Sorry these are not yet publicly accessible)

FAIL    github.com/jetstack/vault-unsealer/pkg/kv/aws_param     0.894s
--- FAIL: TestAWSIntegration (0.69s)
        aws_ssm_test.go:55: Unexpected error storing value in SSM kv: key '%s' not found
        aws_ssm_test.go:59: Unexpected decrypt output: exp=payload123 act=

[danaps]

@jmahowald tried your branch, it works perfectly with parameters store.

[davidholsgrove]

+1 for using SecureStrings without any base64 encoding in parameter store.
@simonswine - can we help get this merged?

[raoofm]

@simonswine is this being tracked?

[raoofm]

/cc @munnerz

[jetstack-bot]

@jmahowald: PR needs rebase.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.