[FEATURE REQUEST] Manage Vault token lifecycle #63406
Labels
Feature
new functionality including changes to functionality and code refactors, etc.
needs-triage
Vault
Comments
lkubb
added
Feature
3 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Is your feature request related to a problem? Please describe.
The Vault integration currently only allows to configure issued tokens with
ttl, which is mapped to anexplicit_max_ttl, [anduses]. The token lifecycle handling thus is very naive: Tokens are always issued with the same minimum and maximum ttl and never renewed. Vault leases are bound to the requesting token. When the token expires - even if the lease itself would still be valid - they will be revoked. It is very cumbersome/nearly impossible to manage longer-lived secrets like database credentials safely and reliably.Edit: Furthermore, tokens that are not needed anymore (e.g. when forgetting them by flushing the cache) are still left valid, which presents an unnecessary security risk.
Describe the solution you'd like
Vault supports renewable tokens. This is intended to make clients check in regularly for auditability and security reasons.
The solution is
twothreefold:a) Allow to configure issued tokens' various ttl settings.
b) Actually renew tokens before they expire.
c) Revoke tokens that are not needed anymore.
Describe alternatives you've considered
Issue tokens with very long
explicit_max_ttland manually delete the cached tokens before running a highstate, which needs to happen before the token expires, otherwise there is an outage. Revoke possibly valid-but-inaccessible tokens manually thereafter.The text was updated successfully, but these errors were encountered: