Best Practice: Vault and the platform integration scenario

The Terraform Tutorial includes a section named Secure Introduction of Vault Clients that describes mechanism to introduce secrets into a consumer.

The scenario named “platform integration” suggests to use the hosting platform to inject a token (the first secret) that the consumer can spend with Vault to retrieve additional secrets.

The question is which are the pros and cons of:

  1. using the described approach, i.e. having the platform provide just the first secret and then have the consumer connect to Vault
  2. let the platform provide all the secrets and refresh them every time the consumer asks for an update

I would like to hear some feedback from the community. For example a pro I can think of for the second approach would be that only the platform connects to Vault, not every consumer, thus reducing the attack surface.