Feature Request: Use HashiCorp Vault as a SPIRE Server KeyManager

[InverseIntegral]

We are currently using HashiCorp Vault as our UpstreamAuthority for our SPIRE setup and we would like to also use the Vault as a KeyManager. Therefore, we propose the addition of a new plugin that integrates Vault into the SPIRE ecosystem via a KeyManager plugin. This plugin could be applied to both the spire-server and the spire-agent. One thing that we should consider is whether Vault supports the appropriate key types that are used by SPIRE.

I would also be willing to implement such a plugin but I'm not quite sure where to get started.

[evan2645]

Thanks for opening this @InverseIntegral ❤️

I think there's a clear use case for Vault-based KeyManager on SPIRE Server .. I took the liberty of updating this issue title to reflect that. Use case around SPIRE Agent plugin for this is a little more hazy to me, so I'd like to suggest you create a new issue for that if you're interested, there will probably be some questions there.

In terms of moving this contribution forward, the best resource will be the SPIRE channel in SPIFFE slack .. post a message there that you're trying to author a plugin and someone can help. You can see current plugin implementations here and SDK containing the protos and utils for building out-of-tree plugins here

[evan2645]

@InverseIntegral if you're still willing to carry this forward please let me know and I'll assign the issue to you. You can find me on SPIFFE slack as well. Thank you!! 🙏

[InverseIntegral]

@evan2645 Thanks for getting back to me. Yes, my intention was to implement this for the SPIRE server first. I've also thought about a use-case for a similar plugin for the SPIRE agent but that would require a separate issue. I would love to work on this once I'm back home from my extended holidays, so feel free to assign the issue to me :slightly_smiling_face: And thank you for the pointers to previous plugin implementations!