I have a use case where my CI runner will need to provision a new role (with policy) and a new secret engine any time we deploy an application for the first time. Are there any recommendations around this use case? I’m concerned that the CI role will need to have full access to Vault, but I do not see a way to limit this if it needs to write new policies. Is it advised to not go this route, or perhaps I need a 3rd service that provisions these elevated tokens to the ci that are short lived?
That really doesn’t make any technical sense. If you need that much separation and it’s temporary then run a temporary Vault instance as part of the job.
I wouldn’t do what you’re suggesting on a production instance.
Any process that automates the modification of Vault configuration is going to need to be highly secure.
If your existing CI is highly secure, that might be fine.
If your existing CI’s security is in doubt, providing it with short-lived tokens is not useful - it just allows it to do dangerous things for a shorter time - but still do dangerous things.
You might consider creating a 3rd service that your CI can request perform creations on its behalf, but have the 3rd service restrict what it will create to preapproved templates.