Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Google Secrets Engine - Reuse Service Account Keys #6872

Closed
mtse-aurora opened this issue Jun 12, 2019 · 3 comments
Closed

Google Secrets Engine - Reuse Service Account Keys #6872

mtse-aurora opened this issue Jun 12, 2019 · 3 comments
Labels
enhancement secret/gcs

Comments

@mtse-aurora
Copy link

Is your feature request related to a problem? Please describe.
The Service Account portion of the Google Secrets Engine does not work for me. I have a cluster of jenkins worker nodes, and a bunch of jobs that request a service account from vault. The issue is that there's a limit of 10 service account keys per service account. Even with a mildly busy job, that limit is quickly reached.

I know that there are customizable TTLs for the service account keys, but with a limit of 10 keys, there isn't really a suitable TTL to choose. Let's say we have a job that can last for anywhere between 1-15 minutes. If we choose a 15 minute TTL, then running 1 job per minute would exhaust it.

I also know that you suggest using Access Tokens over service accounts. But realistically, there are many applications that must use service accounts. For example, your own Terraform Google provider requires service account authentication.

Describe the solution you'd like
There should be another option/feature in vault for service-account based Google Secrets Engine. I'd like my jobs to be able to independently request tokens from vault, and vault would give those jobs the same token, with a rotation.

For example, I set the TTL for the service account keys to 48 hours. Within a 24 hour period, 100s of jobs request that service account key, and they're all given the exact same key. After 24 hours are up, vault creates a new service account key, and starts giving that out to any jobs that request it. The previous day's service account keys automatically expire in another 24 hours.

This allows arbitrary numbers of jobs to use a service account, while also still allowing for automatic rotation.

Describe alternatives you've considered

  1. Build a caching layer for my jenkins jobs such that all the workers pull from a centralized cache, and that centralized cache pulls 1 new token from vault every 24 hours. This seems like a lot of extra infrastructure for something so simple.
  2. Build a sidecar to vault, that uses the key-value V2 secrets engine. Basically every 24 hours, it gets a new service account key from google, puts it as the latest KV-V2 secret value, and expires the old key after 48 hours. This is probably what I'd go with in lieu of a better solution.

Explain any additional use-cases

Additional context
If there's a better way to do this, I'd be happy to try that out!
@tyrannosaurus-becks
Copy link
Contributor

@emilymye might have some tips, perhaps.

@emilymye
Copy link
Contributor

whoops, I totally missed this! yup, we are looking into something that would allow for a "static" account endpoint that automatically rotates the returned secret - it might be better to refile this at https://github.com/hashicorp/vault-plugin-secrets-gcp

@emilymye emilymye mentioned this issue Dec 12, 2019
Open
@heatherezell
Copy link
Contributor

Closing this issue in favor of hashicorp/vault-plugin-secrets-gcp#69

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement secret/gcs
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@tyrannosaurus-becks @michelvocks @emilymye @mtse-aurora @heatherezell