Request to auto-connect password-manager-service

Hi, i need password-manager-service for hashicorp boundary ( application stores the tokens in the secret-service).

And system-observe too.

Hi ! @metanovii .

Can you show your *.yaml file ?

What’s the goal of this maneuver ?

name: 'boundary'
base: core22
version: 'v0.15.3'
summary: boundary
description: |
  Boundary enables identity-based access management for dynamic infrastructure.

grade: stable
confinement: strict

  - build-on: amd64
  - build-on: arm64

    plugin: go
    source-type: git
    override-build: |
      make build
      install $SNAPCRAFT_PART_BUILD/bin/boundary -D $SNAPCRAFT_PART_INSTALL/bin/boundary
      - build-essential
      - jq
      - go
      - docker
      - node/18/stable
    command: bin/boundary
      - network
      - network-bind
      - system-observe
      - password-manager-service
      - desktop
      - desktop-legacy

What kind of maneuver are we talking about? As I said earlier, the password-manager-service is needed so that the application can store tokens for subsequent sessions. I’m not sure about system-observe, it just throws errors without it.

❯ boundary authenticate oidc
Opening returned authentication URL in your browser...
Unable to open authentication URL in browser: 1 error occurred:
        * Unable to read /proc/1/cgroup: open /proc/1/cgroup: permission denied

Please copy and paste this link into a browser manually:

Authentication information:
  Account ID:      acctoidc_orIEsyU5k8
  Auth Method ID:  amoidc_4W31SnCYCJ
  Expiration Time: Mon, 08 Apr 2024 17:19:59 MSK
  User ID:         u_jUGc5eOGRX
Error opening "secret-service" keyring: Specified keyring backend not available
The token was not successfully saved to a system keyring. The token is:


It must be manually passed in via the BOUNDARY_TOKEN env var or -token flag. Storing the token can also be disabled via -keyring-type=none.

Okay @metanovii .

What’s the issue ?

Would you want to autoconnect password-manager-service ?

Yes. And system-observe.

Okay @metanovii .

Snapcrafters accredited for this type of task will take care of it :slight_smile: .

Be patient !

You’ll most probably not get the auto-connection. Because password-manager-service isn’t allowed to auto-connect anymore. Rather on gnome and kde you can try portals and request others to connect manually.

Hi @metanovii,

@soumyaDghosh is right, access to password-manager-service gives the snap access to all session secrets, what does not fit great the confinement mode.

The secret-portal should do work in environments supporting it (gnome/kde). I will also support the manual connection for the password-manager-service after publisher vetting if the snap description enables the user to make an informed decision

Actually, here it has some big issues. Like, there is no example app in gnome world which uses this portals and the kde one is still kinda WIP.

I think the discussion is no longer actualy. I added instructions to the description of the project, like

snap install boundary
snap connect boundary:system-observe
snap connect boundary:password-manager-service

I gave it a try when reassessing the chromium and it worked really out of the box (with the supported gnome-keyring versions). I should be able to find the code I used if it helps.

1 Like