Vault Tokens and Cloud-Init provisioning

Hi everyone,

I’m looking for a piece of advice, regarding the possibility of feeding Cloud-Init with Vault tokens during provisioning.

We’re using GoCD agents as a trusted entity to generate Vault tokens per each application using AppRole. The GOCD agents are currently responsible for creating the tokens and injecting them into the VMs.

I’m looking at a solution for Cloud-Init. There is a possibility to pass the Vault token in Cloud-Init userdata (previously obtained from the GoCD agent) but we don’t like this approach because the token will then be accessible to anyone that can SSH into the VM used by that specific app and then curl on the userdata endpoint of OpenStack.

Can you perhaps help with some integration examples, any Vault usage with Cloud-Init? I was looking at integrating the ssh CA with vault-init but that is rather simple to do.

P.S. hopefully the info above makes sense, I tried to abstract it as much as possible and not go into too many details but please let me know if some additional info would serve.

Thank you,