search

hashicorp / vault

A tool for secrets management, encryption as a service, and privileged access management
https://www.vaultproject.io/
Other
31.11k stars 4.21k forks source link

Request to add Create and Destroy function when Template Rendering in Vault Agent #18281

Open Great-Stone opened 1 year ago

Great-Stone commented 1 year ago

Is your feature request related to a problem? Please describe. There is a problem when templating AWS iam_user method dynamic secret with Vault Agent. For example, if you configure ttl and max_ttl to be 60 seconds, the revoke will happen first and there will be no iam_user created by Vault. Is it possible to add something like create_and_revoke options?

Describe the solution you'd like

template {
  source = "aws.key.ctmpl"
  destination = "aws.key"
  create_and_revoke = true # <<-
}

Describe alternatives you've considered N/A

Explain any additional use-cases Dynamically issuing the iam_user method seems to be a great advantage of vault, but unfortunately, there seems to be no consideration related to delay in issuing iam_user. For the Azure Client, the delay is more than 10 seconds.

Additional context ..

powhapki commented 1 year ago

This is definitely need!

jsp-hashicorp commented 1 year ago

If this is implemented, Vault can be used more with AWS Account management case.

kmworld commented 1 year ago

In my case This feature is very necessary and important.

Because aws accesskey is not immediately available upon creation. This is because there is a slight delay when Accesskey is activated and used. I don't know the exact time, but in my case it took about 10 seconds after rendered template destination by file.

This is a consideration in all cases where you want to automatically rotate accesskeys. Accesskey should be generated ahead of the pre-activation time to give users minimal delay.