-
Notifications
You must be signed in to change notification settings - Fork 40
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Rotating Vault tokens. #101
Comments
Some thoughts on this:
|
I think an interface would be great for giving the Vault issuer an easy way to handle this with implementations like you suggest for both static and renewable tokens. There is methods to lookup the expiry date of the token here: https://www.vaultproject.io/api/auth/token/index.html#lookup-a-token Then we would be able to renew using the API too here: https://www.vaultproject.io/api/auth/token/index.html#renew-a-token A problem I would like solved is using the proxy as a Kubernetes sidecar. Vault allows you to authenticate with a Kubernetes JWT (which is mounted to the container) which is used to create the first renewable token used to access Vault. Which you can see an example request here: https://www.vaultproject.io/api/auth/kubernetes/index.html#login |
Thanks, that sounds like it could be another type of authentication provider. I'll see if I have some time to investigate over the holiday period :). |
Ok, the cool thing I believe to be the case is the token doesn't actually change just the lease is extended. Will submit a PR for checking a renewable token and renewing near the time. |
Looks like we can ignore the Kubernetes part, we can have an init container that will provision the Vault token and allow us to mount it within the proxy. Just need a way of telling the issuer to load it from file maybe an env var like |
This is another use case for the flexible authentication option. I see something like |
@bweston92 #103 added the |
That’s fine thank you. |
@bweston92 Don't upgrade your client version just yet, I think I may have a better idea for the interface. I'll make the change together with the dynamic renewing token. |
I added a renewable token type in #104, I think we should be ok to close this. I will make a pre-release so you can test this out. |
Thanks :D |
Is your feature request related to a problem? Please describe.
When using the proxy there is no way to rotate the token without restarting the proxy with the updated configuration.
Describe the solution you'd like
The proxy to attempt to rotate the key when is it near expiry.
Additional context
Vault expiring tokens that are used to obtain access to the API.
The text was updated successfully, but these errors were encountered: