You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Is your feature request related to a problem? Please describe.
When using auto-auth, the Vault agent uses a single identity to login (with a specific role) and writes the resulting token in multiple locations. Any reader will thus have the same permissions.
In case a user wants to assign different permissions to different readers, the only possibility is to run multiple instances of the agent, each one logging either with different identitites or the same identity but different role.
Describe the solution you'd like
Assuming it would be possible to assign Vault policies to each sink, the sink can use the authentication token to create a child token assocaited with the specified policies.
So the flow would be:
the auth method authenticates with the provided identity and role, generating a parent token;
each sinks receives the parent token and generates a child token restricting it to the Vault policies associated with the sink itself;
the sink writes the child token.
This way each sink writes a different token, thus letting different readers to have different permissions.
The Vault agent can track the child tokens and thus allow caching the results of the requests it receives.
Describe alternatives you've considered
We considered few alternatives, but each has drawbacks:
install multiple Vault agents, each one leveraging a different identity or logging with a different role. This approach is resource consuming and complex to set-up;
add an additional service that acts as a front-end to the Vault agent, and filters requests based on policies. This adds additional complexity and latency to every request.
Additional context
If the feature is of interest, my team can contribute the code to implement it.
The text was updated successfully, but these errors were encountered:
Is your feature request related to a problem? Please describe.
When using auto-auth, the Vault agent uses a single identity to login (with a specific role) and writes the resulting token in multiple locations. Any reader will thus have the same permissions.
In case a user wants to assign different permissions to different readers, the only possibility is to run multiple instances of the agent, each one logging either with different identitites or the same identity but different role.
Describe the solution you'd like
Assuming it would be possible to assign Vault policies to each sink, the sink can use the authentication token to create a child token assocaited with the specified policies.
So the flow would be:
This way each sink writes a different token, thus letting different readers to have different permissions.
The Vault agent can track the child tokens and thus allow caching the results of the requests it receives.
Describe alternatives you've considered
We considered few alternatives, but each has drawbacks:
Additional context
If the feature is of interest, my team can contribute the code to implement it.
The text was updated successfully, but these errors were encountered: