Use Vault token from environment when creating credential store

I run both Vault and Boundary in Kubernetes, I have Vault setup to trust K8s ServiceAccounts so they can request tokens, is it possible when creating a Vault credential store to use the VAULT_TOKEN env var?

It’s called cubbyhole.

Boundary currently requires a Vault orphan token (with a defined set of permissions) as part of the credential store config – it won’t authenticate to Vault from the environment.

I believe one reason for this (or at least one consideration that comes into play) is that the permissions Boundary needs for itself (e.g. using Vault Transit for KMS if that’s configured, which it will do using platform identity like k8s service accounts) are distinct from those it needs to manage credentials for credential stores (the ability to manage credential leases, for example). If you used the environment to provide credential store permissions, then you’d have to give those permissions to whatever underlying platform identity you’re using for Boundary, which raises security issues. Since Boundary encrypts the token at rest, giving it an orphan token is still secure and allows the platform identity underlying Boundary to have more minimal permissions than would otherwise be the case. It also allows you to easily revoke that token (and therefore the leases associated with it) if you need to without disabling Boundary entirely.

Thanks for the reply, this makes sense.