Uploaded image for project: 'Ansible Automation Platform RFEs'
  1. Ansible Automation Platform RFEs
  2. AAPRFE-2132

multiple service accounts in Vault integration

XMLWordPrintable

    • Icon: Feature Request Feature Request
    • Resolution: Unresolved
    • Icon: Normal Normal
    • None
    • 2.5
    • controller
    • False
    • Hide

      None

      Show
      None
    • False

      For the Vault integration, there are multiple methods available. We have primarily looked into the AppRole and Kubernetes auth methods. We do not prefer the AppRole method as it does not automatically rotate credentials. With the Kubernetes auth method, we can use JWT tokens, which rotate by default every hour. From the Hashicorp side, we can create a role and limit access by namespace and service account name to control which secrets can be read.

      However, we encountered an issue where the service account read is done on the pod where the controller is running at that moment. This means the service account is always named <name>-controller, which would require us to create a role with access to most of our secrets. Best practice suggests creating permissions based on the principle of least privilege.

      we want to use multiple service accounts in this scenario. Another option could be to create AppRoles and assign a different AppRole for each application or department, but this would require configuring passwords and have no rotation.

      within AAP I can assign a team or user only access to that credential. But from a backend perspective all those different credentials in AAP would still make use of the same single kubernetes service account? So that single service account would still have access to most of our secrets within vault.

      We are aware that there are several options with AAP to use RBAC and give permissions to teams and users.
      You've asked what our  requirements are, roughly this comes down to the following:
        - automated credential rotation
        - access by least privilege
        - seperated roles per application or team
       
      We think kubernetes auth comes the most close to this, but the flaw we see here is the integration makes use of a singular service account on the controller.   

      Customer is looking to use the Kubernetes (jwt) [1] login method to look up the secrets at the HashiCorp Vault, at this moment we do not have this method enabled.

      we can include this new credential plugin at the AAP.

      [1] - https://developer.hashicorp.com/vault/docs/auth/kubernetes

              bcoursen@redhat.com Brian Coursen
              rhn-support-pugale Prabhanjan Ugale
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated: