Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Vault Agent Auto-Auth Enhancement To Write Credentials #6275

Closed
shelby-moore opened this issue Feb 21, 2019 · 4 comments
Closed

Vault Agent Auto-Auth Enhancement To Write Credentials #6275

shelby-moore opened this issue Feb 21, 2019 · 4 comments

Comments

@shelby-moore
Copy link

Is your feature request related to a problem? Please describe.
Vault agent auto-auth allows for automatic authentication in multiple environments and handles keeping the auth token fresh. This could be expanded on to handle pulling secrets and writing them to a configured sink automatically based on additional configuration.

Describe the solution you'd like
I’m going to focus on the use case of a deployment in Kubernetes for my description of a potential solution. As part of my deployment, I would specify configuration (eg as a config map) for the credentials I want to read from Vault and where I would like them mounted to in the pod(s) (container/file path). The agent would handle mounting these secrets in to the pod(s) and renewing the leases/regenerating the credentials as needed.

Describe alternatives you've considered
Writing a custom tool to manually handle renewing the auth token in addition to using the Vault go http sdk to read credentials and renew leases/regenerate the credentials as needed.

Perhaps there's a better way to store the credentials than in file(s)?

Explain any additional use-cases
I would imagine the solution I outlined above could be used in multiple environments, eg on AWS as well.
@chrishoffman
Copy link
Contributor

We are looking at improving our Kubernetes integration generally but nothing to report yet. I believe you can accomplish what you are talking about using Vault Agent and Consul Template. Consul Template was updated in the last couple of days to support reading the token file that is output from Vault Agent and you can use that to write Vault secrets to a file.

@michelvocks
Copy link
Contributor

There is also an inofficial Vault-CRD which I know works for several people: https://github.com/DaspawnW/vault-crd

@zfLQ2qx2
Copy link

@chrishoffman That would be awesome, vault + vault agent could potentially solve the problem of giving short-lived AWS credentials to Kubernetes pods without giving everything on the same node the same permissions - right now best AWS can suggest is to run things on different nodes and use taints to keep other things off the same node.

@michelvocks
Copy link
Contributor

Closing this since #7652 has been merged which addresses this issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@chrishoffman @michelvocks @shelby-moore @zfLQ2qx2