From e43fe23e910613f9486ec10964509da3cea1909e Mon Sep 17 00:00:00 2001 From: James <135497751+pixambi@users.noreply.github.com> Date: Sat, 14 Dec 2024 02:50:24 +1100 Subject: [PATCH] Docs/secrets sync ssrf private endpoints (#28746) * docs: add Secrets Sync SSRF protection breaking change to 1.17 upgrade guide The Secrets Sync feature in 1.17.3 introduced SSRF protection that blocks private IP ranges, affecting users accessing secret stores through private endpoints. This adds documentation about the change and available options. * renamed issue * referenced secret sync ssrf known issue * re-ordered secret sync known issue in page * Hide copy-to-clipboard button on the output example codeblock --------- Co-authored-by: yhyakuna --- .../docs/upgrading/upgrade-to-1.17.x.mdx | 2 ++ ...17_secrets-sync-ssrf-private-endpoints.mdx | 21 +++++++++++++++++++ 2 files changed, 23 insertions(+) create mode 100644 website/content/partials/known-issues/1_17_secrets-sync-ssrf-private-endpoints.mdx diff --git a/website/content/docs/upgrading/upgrade-to-1.17.x.mdx b/website/content/docs/upgrading/upgrade-to-1.17.x.mdx index 2f04428e89..743b7dcc57 100644 --- a/website/content/docs/upgrading/upgrade-to-1.17.x.mdx +++ b/website/content/docs/upgrading/upgrade-to-1.17.x.mdx @@ -204,4 +204,6 @@ more details, and information about opt-out. @include 'known-issues/sync-activation-flags-cache-not-updated.mdx' +@include 'known-issues/1_17_secrets-sync-ssrf-private-endpoints.mdx' + @include 'known-issues/duplicate-hsm-key.mdx' diff --git a/website/content/partials/known-issues/1_17_secrets-sync-ssrf-private-endpoints.mdx b/website/content/partials/known-issues/1_17_secrets-sync-ssrf-private-endpoints.mdx new file mode 100644 index 0000000000..dc0408fc39 --- /dev/null +++ b/website/content/partials/known-issues/1_17_secrets-sync-ssrf-private-endpoints.mdx @@ -0,0 +1,21 @@ +### Secrets Sync SSRF Protection May Block Private Endpoints + +As of version 1.17.3, Vault's Secrets Sync includes additional Server-Side Request Forgery (SSRF) protection measures. This security enhancement prevents sync operations to certain IP ranges by introducing a new SSRF-safe HTTP client. The client specifically blocks requests to private IP ranges (such as 10.0.0.0/8), which affects users accessing cloud provider secret stores through private endpoints. + +**Impact:** +- Secrets Sync operations to private IP ranges will be blocked +- Affects all destinations when accessed via private endpoints + +**Example error message:** + + + +```plaintext +couldn't sync secret with store: failed to publish event: dial tcp [IP]: prohibited IP address: [IP] is not a permitted destination (denied by: 10.0.0.0/8) +``` + + + +**Current Workaround:** +1. Remain on Vault version 1.17.2 or earlier if you require Secrets Sync with private endpoints +2. Use public endpoints for your secret store services