[FEATURE REQUEST] Vault: Distribute authentication details using response wrapping #62828
Labels
Feature
new functionality including changes to functionality and code refactors, etc.
needs-triage
Vault
Comments
lkubb
added
Feature
3 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Is your feature request related to a problem? Please describe.
The Salt master fetches Vault authentication details in plaintext and distributes them over its own channels, even though Vault provides an integrated mechanism specifically for this purpose: response wrapping.
Describe the solution you'd like
The Salt master should request wrapped responses and distribute the resulting response wrapping tokens to minions. They can then request the secret from Vault directly, ensuring integrity, secrecy and auditability.
Describe alternatives you've considered
Keep distributing the data as is.
Additional context
https://learn.hashicorp.com/tutorials/vault/pattern-approle?in=vault/recommended-patterns#anti-patterns (Mostly tangential since the Salt master needs to be 100% trusted anyways, but mentions auditability).
The text was updated successfully, but these errors were encountered: