Project

General

Profile

Vault » History » Revision 4

Revision 3 (Peter Amstutz, 02/12/2018 09:40 PM) → Revision 4/12 (Nico César, 02/14/2018 03:33 PM)

h1. Vault 

 Going through the docs, a strawman proposal on how to use Vault from an Arvados container: 

 * Credentials are entered into Vault 
 * Client (arvados-cwl-runner?) generates a Vault token with restricted policy (can only read credentials) 
 * Container request is expanded to include Vault token 
 * Vault token cannot be read back from container request via API 
 * Cannot have container reuse with Vault tokens 
 * On the compute node, read the container record 
 * The container record only includes the vault token when queried by the container run token. 
 * The container can now read the secret at the path provided in the input 
 * When the container request is finalized, the Vault token is revoked. 

 Notes: 

 * Credentials may be passed in via environment, config file or command line like any other input, so it would be nice to generalize this as a CWL feature where some inputs are simply marked "sensitive" and automatically handled by Vault.    However, while arvados-cwl-runner is responsible for constructing the container request it doesn't run on the compute node, only crunch-run, which is "dumb", so its not clear how we go about allowing for arbitrary substitution into the environment, command line, or config file on the compute node. 
 * Response wrapping is another mechanism provided by Vault for delegating access.    A wrapped response can be passed through and accessed exactly once (would imply max_container_count: 1). 
 * Another solution is to develop an AuthMethod for vault with Arvados Token proivded by the container.