Maybe it was my wording, I apologize. I will try to explain exactly what I want to find out.
We utilize Banzaicloud secret injection webhook to inject secrets in to running pods/containers. At the moment we currently have static AWS key pairs for each application and they can only be rotated manually. AWS provides the commercial solution by themselves which does automated AWS IAM User key rotation, but to save the costs we are trying to develop ourselves the solution that would do the exact same.
Flow would be like this:
- Standalone application/sidecar requests Vault via API or CLI to retrieve new IAM user key pair with defined role in aws secret engine.
- App copies the key pair
- App writes the Key Pair in defined K/V secret engine path
- App sets TLL (Or it’s running cronjob) value and wait’s until it’s finished
- App cleans up env and removes key pair from it’s memory.
- App-2 who has need of secrets requests secrets from vault via secret webhook (vault:secret/super_secret#IAM_KEY …)
Rinse and repeat basically. That is the idea. My main question is - Is it even possible to do it that way and would script be sufficient enough to perform and automate this ?
In short what I now by now Banzaicloud’s webhook only would read, wrap, transfer, decode and put the secret in to env variable when requested and f.e. if you try to retrieve it, it always comes back as a variable. So in the end I am not sure how this can be done correctly.
As well I want to point out that I’ve seen a feature request open in Github repository for vault for a possibility that Vault could rotate existing IAM user key pairs, but it has not been developed yet. So as we both know, currently engine creates the new IAM users with key pairs that have a defined TTL. As well we have already defined secret pathways in the applications that are used to inject secrets and basically a workaround would be copying newly created aws dynamic secret and writing it in existing vault pathway which overwrites old Key pairs and let’s application function without any disruptions in that way without us as well needing to have major changes in architecture.