Hello,
I would like to securely enable a machine to interact with Vault. I came up with two approaches.
The first approach provisions an approleID and a secretID to the machine in the following way:
- Machine starts.
- Machine sends HTTP request to approle-provisioner service.
- approle-provisioner service validates the requester is allowed to use the requested approle.
- approle-provisioner service fetches an approleID from Vault.
- approle-provisioner service fetches a response-wrapped secretID.
- approle-provisioner transfers approleID and unwrapping token to requester via SCP.
- Machine unwraps secretID.
- Machine logs into Vault with approleID and secretID and uses the resulting Vault token.
The second approach directly provisions a Vault token to the machine:
- Machine starts.
- Machine sends HTTP request to token-provisioner service.
- token-provisioner service validates the requester is allowed to use the requested approle.
- token-provisioner performs the vault login with response wrapping.
- token-provisioner transfers wrapping token to requester via SCP.
- Machine unwraps token and uses the resulting Vault token.
The first approach allows me to constrain the secretID usage (e. g. TTL and number of uses) separately from the token constraints. The second approach appears simpler, but once the token expires, the token-provisioner must be triggered again to fetch a new token.
Do you see any other advantages and disadvantages?
Best
Nick