Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Renewal of vault auth token #77

Merged
merged 1 commit into from
Mar 8, 2023
Merged

Renewal of vault auth token #77

merged 1 commit into from
Mar 8, 2023

Conversation

Pratiyush05Pushkar
Copy link
Contributor

@Pratiyush05Pushkar Pratiyush05Pushkar commented Feb 19, 2023
edited

Hi all ,

Use case

In general , teams don't use vault root token to access vault from this application (In their PROD env) . If those tokens are made renewable , we can periodically renew those tokens from vault client . So once those tokens are set and this application has been deployed , there wont be any downtime due to vault auth token expiration .

Our scenario

We have deployed this in our PROD env where it access PROD vault with a token ( max life time can be set to 32 days ) . So once that token expires , we need to create another token from vault and re-deploy this app with the new token . This creates some downtime for the application .

In this PR

There is already an api in vault client (NewLifeTimeWatcher ) which renews the secrets passed to it . I used code from this function to call NewLifeTimeWatcher in a separate goroutine to renew vault auth token .

We can create renewable vault token with max_ttl_time 0s (no max_ttl ) and 32 days as expiration time by the following commands -

vault token create -policy=<POLICY_NAME> -period=768h

And then set it as VAULT_TOKEN env in docker image/container and deploy the app . This token is being used to access VAULT and when it nears its expiration time , it gets renewed by NewLifeTimeWatcher goroutine .

Outputs

Screenshot 2023-02-19 at 4 32 24 PM

Configuration used for this output -

  1. created vault auth token with validity of 6 minutes . Thats why output says remaining duration: 360 s
  2. Used docker-compose for running this app .(Set VAULT_TOKEN and VAULT_ADDR in docker-compose.yaml)

Issue

In case of root token which is being used in DEV mode , root tokens are not renewable so the output shows an error on its renewal for once .
Screenshot 2023-02-19 at 4 44 49 PM

Hope you people like this PR . I am open for any feedback .

@Pratiyush05Pushkar Pratiyush05Pushkar changed the title Renew vault auth token Renewal of vault auth token Feb 19, 2023
@ankit-ls
Copy link

ankit-ls commented Mar 7, 2023

@eranchetz Could you please look at this PR? This would help us in auto-renewing vault tokens for supersecret. Currently it is a chore work to manually update these tokens after 30 days (as vault does not support issuing tokens longer than 30 days).

@eranchetz
Copy link
Collaborator

Sorry for the delay on my side,
Since we do not have a test for that, I would hopefully be able to test it manually this week and merge it

@ankit-ls
Copy link

ankit-ls commented Mar 7, 2023

Thanks @eranchetz , appreciate your quick response. 🙂

@eranchetz eranchetz merged commit 8ac0fc7 into algolia:master Mar 8, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@Pratiyush05Pushkar @ankit-ls @eranchetz