After reaching a limit with Ansible’s encyption workflow, I’ve been wrapping my head around Vault for the past few months, and I intend to share what I hope will eventually be a rapid way of implementing Vault with best practices (Not there yet) for production in AWS with HA and auto unsealing, launched from a cloud9 (no inbound access) AWS instance, which could also build the AMI’s using packer.
In my case it’s for an IAC project to allow VFX artists to do their own cloud rendering, but I think the vault implementation could be useful for others.
When it comes to authentication of an external system (like a laptop onsite) unless I am missing some option, I think there could be improvements.
Currently, I have to copy and paste the remote host’s public key to get vault to sign it in the cloud 9 instance, then copy the signed public key back to the remote laptop, before it would be able to sign into the bastion and delegate future vault requests. Alternatively, we could generate a one time password from the cloud9 instance. Still, both options feel clunky to me.
I’d like to make the process smoother, perhaps you guys have better ideas…
Is something like vault Cloud going to be able to help with this problem, even if we are running our own vault?
If possible in the future: I would hope to use vault cloud to validate an external user with a github / gmail / or AWS IAM (any of these hopefully with MFA) to sign their public key and enable ssh to the bastion host.
Or are there other ways Vault OSS could do this more smoothly I haven’t considered?