Vault » History » Revision 2
Revision 1 (Peter Amstutz, 02/12/2018 08:11 PM) → Revision 2/12 (Peter Amstutz, 02/12/2018 09:09 PM)
h1. Vault Going through the docs, a strawman proposal on how I think this would be the simplest way to use Vault from in an Arvados container: * Credentials are entered into Vault The container input has the path to the desired secret to be read * Client (arvados-cwl-runner?) generates The API server creates a Vault token new AppRole with restricted policy (can only read credentials) * Container request is expanded to include Vault token * Vault token cannot be read back from role-name as the uuid of the container, and secret as the container request via API token. * Cannot have The container reuse (running on compute node) runs with Vault tokens API: true * On The container uses the compute node, read container's UUID to get the container record role_id from vault * The container record only includes uses the role_id and container token (secret_id) to authenticate with vault token when queried by the container run token. * The container can now read the secret at the path provided in the input * When the container request is finalized, the Vault token is revoked. Notes: * Credentials may be passed in via environment, config file or command line like any other input, so it would be nice to generalize this as a CWL feature where some inputs are simply marked "sensitive" and automatically handled by Vault. However, while arvados-cwl-runner is responsible for constructing the container request it doesn't run on the compute node, only crunch-run, which is "dumb", so its not clear how we go about allowing for arbitrary substitution into the environment, command line, or config file on the compute node.