Recommended method for a bastion host to get Vault to sign its host key

Today I started testing SSH certs with vault for the first time. Very cool! I wonder how I got this far without them now.

When a new bastion spins up, I want it to have its host key signed so that it is recognised as a known host by other machines accepting the vault known host CA, and I wanted to share how I think I might do this to see if theres anything not really good practice here…

  • I figure its a bad idea to use IAM role as the auth method in this instance, since if the host was compromised it would be too easy for someone to inject some other host key and get vault to ordain it as a known host.

  • Instead I might use resource "vault_token" in terraform as the trusted provisioner with num_uses set to one and a brief TTL. The role for the token would be limited only to being able to sign a host key (not ssh client keys).

  • Terraform can then pass the client_token var into user data. Is it acceptable that this isn’t encrypted? or should I go further? Terraform has an encrypted S3 remote state.

  • When the bastion starts the user data script authenticates to vault and can then sign its host key.

So the only opportunity for the host to automatically authenticate should be when it starts, which seems good to me. A drawback is the TTL on the certificate may have to be quite long, maybe months, if the host is not intended to be shutdown regularly.

Any thoughts / ideas / warnings?

I’m also wondering what methods people would use when spinning up a spot fleet. The method above might not work in that case since the token would need to be reused over a much longer period of time over multipl instances starting.