{"id":20155269,"url":"https://github.com/redhat-cop/vault-plugin-secrets-quay","last_synced_at":"2025-10-11T16:11:08.264Z","repository":{"id":37937996,"uuid":"458320843","full_name":"redhat-cop/vault-plugin-secrets-quay","owner":"redhat-cop","description":"Vault Secrets plugin for Quay","archived":false,"fork":false,"pushed_at":"2023-03-02T02:00:27.000Z","size":110,"stargazers_count":5,"open_issues_count":9,"forks_count":1,"subscribers_count":9,"default_branch":"main","last_synced_at":"2025-04-09T22:02:58.503Z","etag":null,"topics":["container-cop"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/redhat-cop.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2022-02-11T19:48:35.000Z","updated_at":"2024-03-14T14:55:37.000Z","dependencies_parsed_at":"2024-06-19T19:01:26.273Z","dependency_job_id":"0ecf21b6-8c26-4578-bf1b-6baeebe41f78","html_url":"https://github.com/redhat-cop/vault-plugin-secrets-quay","commit_stats":{"total_commits":10,"total_committers":1,"mean_commits":10.0,"dds":0.0,"last_synced_commit":"ade3efed264156457e158bb3ec2464beb948b3b0"},"previous_names":[],"tags_count":4,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/redhat-cop%2Fvault-plugin-secrets-quay","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/redhat-cop%2Fvault-plugin-secrets-quay/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/redhat-cop%2Fvault-plugin-secrets-quay/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/redhat-cop%2Fvault-plugin-secrets-quay/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/redhat-cop","download_url":"https://codeload.github.com/redhat-cop/vault-plugin-secrets-quay/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248119297,"owners_count":21050755,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["container-cop"],"created_at":"2024-11-13T23:31:11.270Z","updated_at":"2025-10-11T16:11:03.231Z","avatar_url":"https://github.com/redhat-cop.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Vault Plugin: Quay Secrets Backend\n\n**NOTE: This plugin is still in active development and functionality is expected to change frequently**\n\nThis is a standalone backend plugin for use with [Hashicorp Vault](https://www.github.com/hashicorp/vault).\n\nThis plugin manages the lifecycle of Quay Robot accounts within an organization or associated with a user. Robot accounts can be created using long lived credentials or short lived, [Dynamic Secrets](https://learn.hashicorp.com/tutorials/vault/getting-started-dynamic-secrets).\n\nAdditional information can be found in the [Getting Started](#getting-started) and [Usage](#usage) sections.\n\n**Please note**: We take Vault's security and our users' trust very seriously. If you believe you have found a security issue in Vault, _please responsibly disclose_ by contacting us at [security@hashicorp.com](mailto:security@hashicorp.com).\n\n## Quick Links\n\n- [Vault Website](https://www.vaultproject.io)\n- [Quay Website](https://quay.io)\n- [Vault Github Project](https://www.github.com/hashicorp/vault)\n\n## Getting Started\n\nThis is a [Vault plugin](https://www.vaultproject.io/docs/internals/plugins.html)\nand is meant to work with Vault. This guide assumes you have already installed Vault\nand have a basic understanding of how Vault works.\n\nOtherwise, first read this guide on how to [get started with Vault](https://www.vaultproject.io/intro/getting-started/install.html).\n\nTo learn specifically about how plugins work, see documentation on [Vault plugins](https://www.vaultproject.io/docs/internals/plugins.html).\n\n## Installation\n\nThe plugin can be installed by either downloading a release or building from source for your desired Operating System and architecture\n\n### Release\n\nDownload the latest stable version from the [Releases](https://github.com/sabre1041/vault-plugin-secrets-quay/blob/main/releases) page.\n\n### From Source\n\nInstructions on how to build the plugin manually can be found in the [Developing](#developing) section.\n\n### Plugin installation\n\nCustom Vault plugins require additional steps before they can be made available to Vault.\n\n1. Move the plugin binary to the `plugin_directory` as configured in Vault:\n\n```shell\nmv vault-plugin-secrets-quay-\u003cos\u003e-\u003carch\u003e \u003cplugin_directory\u003e/vault-plugin-secrets-quay\n```\n\n2. Calculate the plugin binary SHA256 sum. Set an environment variable called _SHA256SUM_ either using the release binary or from source.\n\n```shell\n# Using compiled binary using checksums.txt from Release\nSHA256SUM=$(grep \u003cbinary_name\u003e$ checksums.txt | cut -d' ' -f1)\n# Built from source\nSHA256SUM=$(shasum -a 256 \u003ccompiled_binary\u003e | cut -d' ' -f1)\n```\n\n3. Register the plugin in Vault\n\n```shell\nvault plugin register -sha256=$SHA256SUM vault-plugin-secrets-quay\n```\n\n4. Enable the plugin\n\n```shell\nvault secrets enable quay\n```\n\n## Configuration and Usage\n\nThis section describes how to configure and use the secrets engine.\n\n### Configuration\n\nRegister a new _config_ by providing the endpoint to the Quay instance and OAUth token for the API. More information on how to generate an OAuth token can be found [here](https://docs.quay.io/api/).\n\n```shell\nvault write quay/config \\\n  url=https://\u003cQUAY_URL\u003e \\\n  token=\u003cTOKEN\u003e\n```\n\nThe full list of options can be found below:\n\n| Name | Description | Defaults | Required |\n| ----- | ---------- | -------- | ----- |\n| `url` | URL of the Quay instance | | Yes |\n| `token` | Quay OAuth token | | Yes |\n| `ca_certificate` | CA certificate to communicate to | | No |\n| `disable_ssl_verification` | Disable SSL verification when communicating with Quay | | No |\n\n### Roles\n\nTwo different types of [roles](https://learn.hashicorp.com/tutorials/vault/custom-secrets-engine-role) can be configured:\n\n- Static Roles (`static-roles`) - Provides long lived credentials to access Quay\n- Dynamic (`roles`) - Provides short lived, temporary credentials with a TTL expiration\n\nA new _static role_ is created at the endpoint `quay/static-roles` while dynamic roles are created against the endpoint `quay/roles`.\n\nThe full list of options when configuring roles can be found below:\n\n| Name | Description | Defaults | Required |\n| ----- | ---------- | -------- | ----- |\n| `namespace_type` | Type of namespace to associate the Robot account to (`user` or `organization`) | `organization` | No |\n| `namespace_name` | Name of the _user_ or _organization_ the Robot account should be created within | | Yes |\n| `create_repositories` | Allow the Robot account the ability to create new repositories. Once enabled, a new _Team_ called `vault-creator` will be created with `creator` privileges | `false` | No |\n| `default_permission` | Default permissions applied for the robot account against existing and newly created repositories | | No |\n| `repositories` | Permissions applied to repositories for the Robot account (has a higher precedence than `default_permission` if defined). An example of how content should be formatted can be found [here](examples/repositories.json).  | | No |\n| `teams` | Permissions applied to Teams for the Robot account. An example of how content should be formatted can be found [here](examples/teams.json).  | | No |\n\nLet's show examples of how each can be used.\n\n### Static Roles\n\nTo manage repositories within the _myorg_ organization and assuming the OAuth token configured previously has the permissions to manage these resources, create a static role which will have permission to create repositories:\n\n```shell\n$ vault write quay/static-roles/my-static-account \\\n  namespace_name=myorg \\\n  create_repositories=true\n```\n\nCredentials for the robot account can be obtained by executing the following command:\n\n```shell\n$ vault read quay/static-creds/my-static-account\n\nKey             Value\n---             -----\nnamespace_name    myorg\nnamespace_type    organization\npassword        \u003cPASSWORD\u003e\nusername        \u003cUSERNAME\u003e\n```\n\nA new robot account will be created in the _myorg_ organization with _creator_ permissions. These credentials will not expire.\n\nTo remove the robot account and revoke credentials, execute the following command:\n\n```shell\nvault delete quay/static-roles/my-static-account\n```\n\n### Dynamic Secrets\n\nShort lived credentials can be created to limit validity of a robot account. Similar to static roles, a role that leverages the dynamic secrets engine can be created using the following command:\n\n```shell\n$ vault write quay/roles/my-dynamic-account \\\n  namespace_name=myorg \\\n  create_repositories=true\n```\n\nBy default, the the default _ttl_ as configured in vault when a credential is requested. Otherwise a custom ttl can be specified using the `ttl=\u003cvalue\u003e` in the `vault write` command.\n\nDynamically generated credentials for a robot account can be obtained by executing the following command:\n\n```shell\n$ vault read quay/creds/my-dynamic-account\n\nKey                Value\n---                -----\nlease_id           quay/creds/my-dynamic-account/JVrcAL9Oyrat2MOgKKTdrL1T\nlease_duration     100h\nlease_renewable    true\nnamespace_name     myorg\nnamespace_type     organization\npassword           \u003cPASSWORD\u003e\nusername           \u003cUSERNAME_WITH_UNIQUE_SUFFIX\u003e\n```\n\nA robot account with a dynamically generated name will be created within the _myorg_ organization with permissions to create repositories and contain a unique username suffix.\n\nThe _lease_duration_property illustrates how long the credential can be used for. Once this value expires, the robot account will be deleted from Quay. The lease can be extended using the `vault lease renew` command. The `vault lease revoke` command can be used to revoke the active lease and delete the robot account.\n\nThe role itself can be removed using the following command:\n\n```shell\nvault delete quay/roles/my-dynamic-account\n```\n\n### Password Rotation\n\nStatic roles support having their passwords rotated. The following command can be used to rotate the password:\n\n```shell\nvault write -force quay/rotate-role/my-static-account\n```\n\nThe output returned will contain the updated password.\n\n## Developing\n\nIf you wish to work on this plugin, you'll first need\n[Go](https://www.golang.org) installed on your machine\n(version 1.17+ is _required_).\n\nFor local dev first make sure Go is properly installed, including\nsetting up a [GOPATH](https://golang.org/doc/code.html#GOPATH).\nNext, clone this repository into\n`$GOPATH/src/github.com/redhat-cop/vault-plugin-secrets-quay`.\n\nTo compile the plugin, run `make build`\n\nThis will put the plugin binary in the `vault/plugins` directory:\n\n```shell\nmake build\n```\n\nOnce the binary has been built, you can start a Vault development server:\n\n```shell\n$ vault start\n...\n```\n\nOnce the server is started, the plugin will be registered in the Vault [plugin catalog](https://www.vaultproject.io/docs/internals/plugins.html#plugin-catalog).\n\nThe plugin can be enabled by running the following command:\n\n```shell\n$ make enable\n\nvault secrets enable -path=quay vault-plugin-secrets-quay\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fredhat-cop%2Fvault-plugin-secrets-quay","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fredhat-cop%2Fvault-plugin-secrets-quay","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fredhat-cop%2Fvault-plugin-secrets-quay/lists"}