Hi everyone,
I’m designing an automated certificate rotation system using HashiCorp Vault PKI and Vault Agent, and I’d like feedback on the architecture and best practices.
Current setup:
-
Vault Enterprise (AppRole auth enabled)
-
Vault Agent configured with auto-auth (AppRole) and file sink (
/tmp/vault_token) -
Secret ID configured with:
-
secret_id_num_uses = 0 -
secret_id_ttl = 0(non-expiring)
-
-
Vault Agent successfully authenticates and renews token
Use case:
-
I have external systems (IBM DataPower) that store certificates
-
A Python script:
-
Fetches certificate list from DataPower
-
Checks expiry
-
If expiring → requests a new certificate from Vault PKI
-
Pushes updated cert back to DataPower
-
Goal:
I want to offload as much work as possible to Vault Agent while keeping dynamic behavior.
Questions:
-
Is this hybrid approach (Vault Agent for auth + script for logic) the recommended pattern?
-
Can Vault Agent be used to dynamically generate certificates (based on runtime input like cert names), or is it limited to static templates?
-
Is using a long-lived (unlimited use)
secret_idfor Vault Agent considered safe for this use case? -
Would it be better to:
-
Continue generating certificates via API (Python), OR
-
Use Vault Agent templates for certificate generation?
-
-
Any best practices for:
-
Scaling this pattern
-
Securing AppRole credentials
-
Avoiding secret sprawl
-
What I’ve observed:
-
Vault Agent works well for auth/token lifecycle
-
Dynamic certificate generation still requires application logic
Would appreciate guidance on whether this architecture aligns with recommended Vault design patterns.
Thanks!