Hi, i need password-manager-service for hashicorp boundary ( application stores the tokens in the secret-service).
And system-observe too.
name: 'boundary'
base: core22
version: 'v0.15.3'
summary: boundary
description: |
Boundary enables identity-based access management for dynamic infrastructure.
https://github.com/hashicorp/boundary
grade: stable
confinement: strict
architectures:
- build-on: amd64
- build-on: arm64
parts:
build-boundary:
plugin: go
source: https://github.com/hashicorp/boundary
source-type: git
source-tag: $SNAPCRAFT_PROJECT_VERSION
override-build: |
make build
install $SNAPCRAFT_PART_BUILD/bin/boundary -D $SNAPCRAFT_PART_INSTALL/bin/boundary
build-packages:
- build-essential
- jq
build-snaps:
- go
- docker
- node/18/stable
apps:
boundary:
command: bin/boundary
plugs:
- network
- network-bind
- system-observe
- password-manager-service
- desktop
- desktop-legacy
What kind of maneuver are we talking about? As I said earlier, the password-manager-service is needed so that the application can store tokens for subsequent sessions. I’m not sure about system-observe, it just throws errors without it.
❯ boundary authenticate oidc
Opening returned authentication URL in your browser...
.........
Unable to open authentication URL in browser: 1 error occurred:
* Unable to read /proc/1/cgroup: open /proc/1/cgroup: permission denied
Please copy and paste this link into a browser manually:
.............
Authentication information:
Account ID: acctoidc_orIEsyU5k8
Auth Method ID: amoidc_4W31SnCYCJ
Expiration Time: Mon, 08 Apr 2024 17:19:59 MSK
User ID: u_jUGc5eOGRX
Error opening "secret-service" keyring: Specified keyring backend not available
The token was not successfully saved to a system keyring. The token is:
.........
It must be manually passed in via the BOUNDARY_TOKEN env var or -token flag. Storing the token can also be disabled via -keyring-type=none.
Yes. And system-observe.
.You’ll most probably not get the auto-connection. Because password-manager-service isn’t allowed to auto-connect anymore. Rather on gnome and kde you can try portals and request others to connect manually.
Hi @metanovii,
@soumyaDghosh is right, access to password-manager-service gives the snap access to all session secrets, what does not fit great the confinement mode.
The secret-portal should do work in environments supporting it (gnome/kde). I will also support the manual connection for the password-manager-service after publisher vetting if the snap description enables the user to make an informed decision
Actually, here it has some big issues. Like, there is no example app in gnome world which uses this portals and the kde one is still kinda WIP.
I think the discussion is no longer actualy. I added instructions to the description of the project, like
snap install boundary
snap connect boundary:system-observe
snap connect boundary:password-manager-service
I gave it a try when reassessing the chromium and it worked really out of the box (with the supported gnome-keyring versions). I should be able to find the code I used if it helps.
1 Like