Vault » History » Version 3
Peter Amstutz, 02/12/2018 09:40 PM
| 1 | 1 | Peter Amstutz | h1. Vault |
|---|---|---|---|
| 2 | |||
| 3 | 2 | Peter Amstutz | Going through the docs, a strawman proposal on how to use Vault from an Arvados container: |
| 4 | 1 | Peter Amstutz | |
| 5 | 2 | Peter Amstutz | * Credentials are entered into Vault |
| 6 | * Client (arvados-cwl-runner?) generates a Vault token with restricted policy (can only read credentials) |
||
| 7 | * Container request is expanded to include Vault token |
||
| 8 | * Vault token cannot be read back from container request via API |
||
| 9 | * Cannot have container reuse with Vault tokens |
||
| 10 | * On the compute node, read the container record |
||
| 11 | * The container record only includes the vault token when queried by the container run token. |
||
| 12 | 1 | Peter Amstutz | * The container can now read the secret at the path provided in the input |
| 13 | 2 | Peter Amstutz | * When the container request is finalized, the Vault token is revoked. |
| 14 | |||
| 15 | Notes: |
||
| 16 | |||
| 17 | * Credentials may be passed in via environment, config file or command line like any other input, so it would be nice to generalize this as a CWL feature where some inputs are simply marked "sensitive" and automatically handled by Vault. However, while arvados-cwl-runner is responsible for constructing the container request it doesn't run on the compute node, only crunch-run, which is "dumb", so its not clear how we go about allowing for arbitrary substitution into the environment, command line, or config file on the compute node. |
||
| 18 | 3 | Peter Amstutz | * Response wrapping is another mechanism provided by Vault for delegating access. A wrapped response can be passed through and accessed exactly once (would imply max_container_count: 1). |