Skip to content

Releases: miquella/vaulted

v3.0.0

26 Feb 17:35
@miquella miquella
v3.0.0
This tag was signed with the committer’s verified signature.
miquella Mark Severson
GPG key ID: F9B4E5486F9B4A5E
Learn about vigilant mode.
a1b7290
Compare
Choose a tag to compare
v3.0.0 Latest
Latest

General

  • Fix expiration display using a non-breaking space
  • Fix XDG_CACHE_HOME variable name in documentation
  • Update golang.org/x/crypto module (to protect against CVE-2020-9283)

SSH Agent

The SSH proxy agent implementation was extracted and then re-integrated.

  • Add HashiCorp Vault key signing
  • Add dynamic SSH key generation when a session starts
  • Add option to disable exposure of an external agent (proxying to an external agent during a session)
  • Expose both signed and unsigned SSH keys (when signing is enabled)
  • Fix leak of accepted connections which caused the SSH agent to hang (#161)
  • Fix handling of ed25519 keys
  • Indicate when a key's signature has expired
  • Indicate during session start if the HashiCorp Vault token is invalid

edit

  • Add R alias for setting the AWS region
  • Add SSH Agent options
  • Fix MFA auto-detection for non-standard partitions (e.g. aws-cn, aws-us-gov)
  • Fix loss of AWS configuration when replacing a key and secret (#153)

exec

  • Add key signing options (--ssh-signing-url, --ssh-signing-users, --ssh-generate-key, and --ssh-proxy-agent)

shell

  • Add key signing options (--ssh-signing-url, --ssh-signing-users, --ssh-generate-key, and --ssh-proxy-agent)
Assets 2
Loading

v2.4.1

23 Aug 21:39
@miquella miquella
v2.4.1
This tag was signed with the committer’s verified signature.
miquella Mark Severson
GPG key ID: F9B4E5486F9B4A5E
Learn about vigilant mode.
13ca2f3
Compare
Choose a tag to compare
v2.4.1

General

  • Fix session expiration calculations
Assets 2
Loading

v2.4.0

30 Jul 22:40
@miquella miquella
v2.4.0
This tag was signed with the committer’s verified signature.
miquella Mark Severson
GPG key ID: F9B4E5486F9B4A5E
Learn about vigilant mode.
75dbe0d
Compare
Choose a tag to compare
v2.4.0

  • General

    • Allow the user to re-enter the MFA code if entered incorrectly
    • Fix incorrect signing by the proxy SSH agent
    • Improvements to session caching
    • Support regional STS endpoints (this enables support for other AWS partitions)

  • Security

    • Bump the number of key derivation iterations for new vaults

  • edit

    • Display primary alias for menu options (in addition to short alias)

  • env

    • Fix documentation ordering
Assets 2
Loading

v2.3.0

27 Nov 23:31
@ryan-norton ryan-norton
v2.3.0
This tag was signed with the committer’s verified signature.
miquella Mark Severson
GPG key ID: F9B4E5486F9B4A5E
Learn about vigilant mode.
879fae4
Compare
Choose a tag to compare
v2.3.0

  • General

    • Documented file storage locations
    • Documented exit code 69 (unavailable)
    • Changed password prompts (including askpass) to include the vault name
    • Changed the verbiage for incorrect passwords
    • Fixed doubled error messages on flag parsing
    • Fixed rare unhashable type errors
    • Go 1.11 modules support

  • Session

    • Fixed session expiration to match the expiration returned by STS
    • Assuming roles:
      • Added support for specifying account-local role names rather than a full ARN
      • Added VAULTED_ENV_ROLE_PARTITION environment variable
      • Fixed VAULTED_ENV_ROLE_PATH to match the AWS role path

  • add

    • Added create and new aliases
    • Automatic detection and configuration of MFA devices
    • Faster automatic credential importing

  • edit

    • Automatic detection and configuration of MFA devices
    • Clarify that exiting also saves
    • Clarify common editing options
    • Change "Environment" verbiage to "Session"
    • Failures to save a vault are now manifest properly
    • Prompt before overwriting an existing environment variable
    • Toggle to show and hide secrets

  • env

    • Add explicit option to refresh a session (--refresh)
    • Add option to spawn without session/temporary credentials (--no-session)

  • exec (new)

    • Execute a single command within a session
      • Includes --assume, --no-session, and --refresh support

  • passwd (new)

    • Change the password of a vault

  • rm

    • Added delete and remove aliases

  • shell

    • Add explicit option to refresh a session (--refresh)
    • Add option to spawn without session/temporary credentials (--no-session)
Assets 2
Loading

v2.2.0

28 Apr 23:53
@miquella miquella
v2.2.0
This tag was signed with the committer’s verified signature.
miquella Mark Severson
GPG key ID: F9B4E5486F9B4A5E
Learn about vigilant mode.
febbd3a
Compare
Choose a tag to compare
v2.2.0
  • General
    • Add meaningful, codified exit codes to enable better automated integrations
    • Improved documentation
    • Support for GUI-based password prompts via the VAULTED_ASKPASS environment variable
  • Session Cache
    • Store the name of the session in the cache
    • Expirations are no longer stored as unix epochs (this will invalidate existing cached sessions)
    • Expiration tolerance is now 15 minutes (up from 5 minutes)
    • Credentials are now cached before performing an assume role (this lifts the 1 hour restriction when a vault is configured to assume a role)
  • Add
    • Fix to complain if the vault already exists
    • Prompt to import existing credentials from environment variables
  • Edit
    • Fix to complain if the vault doesn't already exist
    • Usability and color tweaks
    • Emphasize temporary credential usage (clarifying that the access key provided will not, necessarily, match those in a resulting session)
    • Warn when using STS if MFA isn't configured (AWS STS doesn't allow IAM calls unless MFA is configured)
  • Env
    • Fix scoping issue when setting fish environment variables
    • Fix suggested command for loading environment variables into fish and sh-like shells
    • Add --format flag to allow custom output formatting
    • Add --assume flag to allow ad-hoc role assumption (if no vault is specified when --assume is provided, credentials are loaded from default locations such as the environment)
    • Add VAULTED_ENV_EXPIRATION variable specified in RFC3339 format
    • Add VAULTED_ENV_ROLE_ARN, VAULTED_ENV_ROLE_NAME, VAULTED_ENV_ROLE_PATH, and VAULTED_ENV_ROLE_ACCOUNT_ID variables when assuming a role
  • Shell
    • Add --assume flag to allow ad-hoc role assumption (if no vault is specified when --assume is provided, credentials are loaded from default locations such as the environment)
    • Add VAULTED_ENV_EXPIRATION variable specified in RFC3339 format
    • Add VAULTED_ENV_ROLE_ARN, VAULTED_ENV_ROLE_NAME, VAULTED_ENV_ROLE_PATH, and VAULTED_ENV_ROLE_ACCOUNT_ID variables when assuming a role
Assets 2
Loading

v2.1.1

17 Apr 21:00
@miquella miquella
v2.1.1
This tag was signed with the committer’s verified signature.
miquella Mark Severson
GPG key ID: F9B4E5486F9B4A5E
Learn about vigilant mode.
f9cb9ea
Compare
Choose a tag to compare
v2.1.1

Fix vaulted env injecting AWS credentials

Assets 2
Loading

v2.1.0

23 Mar 17:52
@miquella miquella
v2.1.0
This tag was signed with the committer’s verified signature.
miquella Mark Severson
GPG key ID: F9B4E5486F9B4A5E
Learn about vigilant mode.
e37f732
Compare
Choose a tag to compare
v2.1.0
  • General
    • Add version subcommand
    • Change --help arguments to open the corresponding man page
  • Edit
    • Message indicating whether the vault was saved or not
    • More intuitive editing
  • List
    • Indicate the active vault (if any)
  • Remove
    • Fix vault removal to also remove any cached environment
  • Spawn
    • Fix execution of commands with arguments (e.g. vaulted -n name CMD -e)
  • Spawned Environment
    • Add ability to disable temporary credential generation (STS)
    • Add AWS_SECURITY_TOKEN (some older AWS SDKs require this)
    • Fix assuming a role cross-account
    • Fix AWS environment vars getting blended with outer environment
    • Fix MFA prompt to be accessible when stdin/stdout are redirected
    • Fix SSH keys to respect the vault's duration
    • Fix signal handling such that signals are relayed to the spawned process
  • Shell
    • Display time remaining when spawning a shell
Assets 2
Loading

2.0

18 Aug 18:21
@miquella miquella
v2.0
dbbe836
Compare
Choose a tag to compare
2.0

This version has been rewritten and is now released under the MIT license.

Highlights:

  • AWS integration
    • MFA support
    • Assume role support
    • Specification of STS token duration
  • Embedded SSH agent
    • SSH keys stored in the vault are automatically injected into the environment
  • New CLI
  • Interactive vault editing
  • Vault format changes:
    • Uses NaCl's secretbox format for encrypting vaults
    • Separate file for each vault, allowing each vault to have a separate password
Assets 2
Loading