Vault¶

Going through the docs, I think this would be the simplest way to use Vault in an Arvados container:

• The container input has the path to the desired secret to be read
• The API server creates a new AppRole with role-name as the uuid of the container, and secret as the container token.
• The container (running on compute node) runs with API: true
• The container uses the container's UUID to get the role_id from vault
• The container uses the role_id and container token (secret_id) to authenticate with vault
• The container can now read the secret at the path provided in the input