The Terraform Tutorial includes a section named Secure Introduction of Vault Clients that describes mechanism to introduce secrets into a consumer.
The scenario named “platform integration” suggests to use the hosting platform to inject a token (the first secret) that the consumer can spend with Vault to retrieve additional secrets.
The question is which are the pros and cons of:
- using the described approach, i.e. having the platform provide just the first secret and then have the consumer connect to Vault
- let the platform provide all the secrets and refresh them every time the consumer asks for an update
I would like to hear some feedback from the community. For example a pro I can think of for the second approach would be that only the platform connects to Vault, not every consumer, thus reducing the attack surface.