I just started learning about Vault and I’m trying to understand if it can solve my use case.
I have a several Kubernetes clusters which all sends their metrics and logs to Grafana Cloud. In order to authenticate with Grafana Cloud they will need an API token.
Is Vault capable of generating those tokens by using Grafana’s API, or do I need to write custom code to fullfill this task as it might not be supported out of the box?
I also have a similar use case with Gitlab. I need to generate different tokens for all the different clusters I have.
Retrieving all the different secrets from the vault is already solved by using the CSI driver for Kubernetes.
Would this be possible with Vault? Do anyone have some good links which can take me in the right direction?
For any “API token from an external service” kind of scenario, you would need a dedicated Vault secrets engine plugin which knew how to talk to the external service.
I have looked for a grafana dynamic secret plugin and have not found one. You can take a look at the others plugins that have been published by 3rd party and use that to create your own.
@aram, that’s a database plugin which is completely different to a secrets plugin and is not relevant to this use case.
and members of the community flagged the post as off-topic, leading it to be hidden.
If people disagree with something I’ve said, I’d encourage discussing it rather than seeking to have the system suppress my post. (Which, as a factual correction to the issue being discussed, is not off-topic.)
However, I do admit I could have explained at greater length, and my earlier post could have been misunderstood. I shall give more details:
Vault has three kinds of plugin:
auth
secrets
database
If someone wanted to implement a plugin to create and return Grafana or GitLab API keys on the fly, the relevant kind of plugin to look into is “secrets”.
The mysql plugin is of “database” type, and so is not a good example to start with, as the Vault APIs involved are different.