Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[feature] Auto revoke Vault token on Agent Shutdown #6492

Open
lawliet89 opened this issue Mar 28, 2019 · 7 comments
Open

[feature] Auto revoke Vault token on Agent Shutdown #6492

lawliet89 opened this issue Mar 28, 2019 · 7 comments
Labels
agent enhancement
Milestone
triaged

Comments

@lawliet89
Copy link
Contributor

lawliet89 commented Mar 28, 2019
edited
Loading

Is your feature request related to a problem? Please describe.
When running Vault agent as sidecars on non-Nomad orchestration tools like Kubernetes, it is desirable to immediately revoke the Vault token on application shutdown, especially when dealing with credentials that have numerical limits like the GCP Secrets engine service account keys.

Describe the solution you'd like

Add an option to configure the auto-auth feature in Vault agent to revoke access tokens when shutting down. Would be great if it comes with a "grace" period setting that waits x seconds before revoking the token.

Describe alternatives you've considered

  • Wrapping the invocation of Vault agent in bash scripts to trap termination and revoke tokens
  • Use "termination" features in the orchestrator to do the revoking.
@lawliet89 lawliet89 changed the title [feature] Auto revoke token on Vault Agent Shutdown [feature] Auto revoke Vault token on Agent Shutdown Mar 28, 2019
@ncabatoff
Copy link
Collaborator

Doing things "on shutdown" is inherently unreliable, since there are cases where the application isn't given the chance to cleanup on exit (e.g. machine crashing, kill -9) or where the application doesn't shutdown but is abandoned by the cluster (e.g. node is on the other side of quorum during a network partition). Why not simply use a short TTL, say 30s, and then all such cases will be handled?

@lawliet89
Copy link
Contributor Author

lawliet89 commented Mar 28, 2019
edited
Loading

That's possible too, although the increase in the volume of renewals will make the audit logs super noisy.

Between choosing a short TTL and the alternatives I've considered, I wouldn't go for a short TTL.

I mean this could be done on a "best effort" basis. The TTL will be a "backup" in case this fails.

@jefferai
Copy link
Member

I don't see any issue with defense in depth.

@jefferai jefferai added this to the next-release milestone Mar 29, 2019
@lawliet89 lawliet89 mentioned this issue Feb 4, 2020
Closed
@pbernal pbernal modified the milestones: next-release, triaged May 15, 2020
@TJM
Copy link

TJM commented Apr 7, 2022

There is a setting in the Kubernetes agent injector to revoke on shutdown.

https://github.com/hashicorp/vault-helm/blob/main/values.yaml#L91-L92

It shouldn't be too hard to adapt that to whatever you are doing (not injector?)

@lawliet89
Copy link
Contributor Author

@TJM that setting is a workaround that I implemented for vault-k8s in hashicorp/vault-k8s#67

There is no magic involved. It's just a pod pre-stop hook to use Vault CLI to request a revocation. It's not foolproof. This issue is requesting for a "native" solution.

@hsimon-hashicorp
Copy link
Contributor

Hi folks! Is this still an issue in newer versions of Vault? Please let me know so I can bubble it up accordingly. Thanks!

@lawliet89
Copy link
Contributor Author

lawliet89 commented Mar 26, 2024
edited
Loading

I scanned through the documentation for Vault Agent and I don't see any option to revoke on shutdown.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
agent enhancement
Projects
None yet
Milestone
triaged
Development

No branches or pull requests
7 participants
@jefferai @pbernal @lawliet89 @TJM @michelvocks @ncabatoff @hsimon-hashicorp