search

kgaughan / gcredstash

gcredstash manages credentials using AWS Key Management Service (KMS) and DynamoDB.
Apache License 2.0
1 stars 2 forks source link

New subcommand: agent #91

Closed kgaughan closed 2 weeks ago

kgaughan commented 1 month ago

This would be a way to add consul-template-like functionality to gcredstash the existing template subcommand does help, but it would be helpful to add a bit more order to things and to run commands if a template has been successfully written out.

This subcommand would take an additional parameter: --config. This points at a TOML file with roughly the following schema:

table = "credential-store"
default_interval = "1h"

[[template]]
source = "path/to.tmpl"
destination = "path/to/result.conf"
mode = 0o644
owner = "foo"
group = "bar"
create_dest_dirs = true
# A list of daemons to reload if there's a change.
exec = ["foo"]

# How to reload the 'foo' daemon.
[exec.foo]
command = ["pkill", "-HUP", "foo"]
timeout = "5s"

# Put an explicit refresh period on keys. The initial template render tells
# gcredstash which template have which secrets.
[secret.key-name]
interval = "5m"
# KMS encryption context, if any
context = { foo = "bar" }

After the initial render, gcredstash will have a list of secrets and their corresponding templates, and will schedule the periodic querying of each. If any secrets have their versions incremented since the previous fetch, the corresponding templates will be marked for rendering and any reload tasks will then be executed.

An additional avenue that might be worth considering is some mechanism based on DynamoDB streams. This might be rather heavyweight, however, and I can see it only really being useful in circumstances where a particular secret must be refreshed in close to realtime. This would mean that the agent would need to either (a) listen on an SQS queue or (b) receive notifications on a HTTP endpoint. Both have their issues. An example might be where some credentials for a Docker registry are stored in a credstash table and periodically rotated and the old credentials are immediately invalidated. A secret like this would need to fetched and written out as soon as it came available.

kgaughan commented 2 weeks ago

Nah, I won't do this. The only reason for me to implement this is a legacy issue at work and credstash in all its incarnations should really be replaced with Secrets Manager or HCP Vault these days when dealing with static secrets.

It would've been a nice idea five years ago though.