Best option for SSH Host Certificate with cloud-init (wrapping? transit? ..)

We’d like to directly sign a host certificate from cloud-init when starting up a VM. I’ve been wondering how to achieve this best. Is there a way to “prepare” the entire signing request (except for the ssh host private key, which is only generated upon startup) and then pass some “token” into the VM (via cloud-init, I understand how to do that) which the VM can then use to access vault once to get its host key signed?
Ideally I can already fix the principal, because I know that when passing the “token” into the VM…

Thanks for any help with this!

I guess you could:

• Create a SSH role naming the host as the only acceptable domain - SSH - Secrets Engines - HTTP API | Vault by HashiCorp
• Create a policy granting access to the role
• Create a single-use token with the policy assigned
• Pass the token into the cloud-init data

But then you need automation to do all that, and ideally clean up the old SSH roles and policies when they are no longer needed too - it’s a fair amount of automation to write.

Could you elaborate on how that single-use token with the policy would work? would that allow one API-call or one “login”?

One API call (or whatever num_uses you pass to the token creation API: Token - Auth Methods - HTTP API | Vault by HashiCorp). If you already have a token, you don’t need to log in.

If you did want a login-based flow, you could instead use the AppRole auth method, where you can specify number of uses allowed for SecretIDs (what AppRole calls its password-equivalent).

I responded to a similar question here last year:

If hosts are AD-joined and have Kerberos credentials, could those credentials be used to obtain the token (with the policy maxb described assigned) and use that to get the host keys signed?

jd