Open itspngu opened 1 year ago
ambis
commented
1 year ago This would be essential especially in the case where the TTL could be configured to be less than 1h (not sure yet if this is possible), since the static_account TTL is always 1h.
This would be beneficial for places like CI which runs fast and only needs a short TTL token.
itspngu
commented
1 year ago This would be beneficial for places like CI which runs fast and only needs a short TTL token.
Hey there @ambis :wave:
I've not tried it myself because our CI runs on Github and there's a "native" means of having workflows in Github Actions authenticate to Google Cloud called Workload Identity Federation (pretty much just a fancy wrapper around OIDC).
If that's not an option you might want to look into making the tokens returned by the auth method your CI system uses short-lived (instead of setting short TTLs on the secrets themselves), Vault will periodically clean up "dangling" secret leases (for secrets from dynamic secrets engines, for static secrets there's nothing to clean up) after the token used to create them has expired.
This could possibly be further optimized by using non-renewable Batch Tokens with a fixed TTL for the CI usecase specifically, but I've not experimented with those yet and I'm not 100% sure they properly work with dynamic secrets.
Terraform Version
terraform -v Terraform v1.4.3-dev on linux_amd64
Affected Resource(s)
If this issue appears to affect multiple resources, it may be an issue with Terraform's core, so please mention this.
Terraform Configuration Files
Debug Output
n/a
Panic Output
n/a
Expected Behavior
The
vault_gcp_secret_impersonated_accountresource should support thettlparameter exposed by the corresponding Vault API endpoint.Actual Behavior
The
vault_gcp_secret_impersonated_accountresource does not expose thettlparameter.Steps to Reproduce
n/a
Important Factoids
n/a
References
n/a