vault icon indicating copy to clipboard operation
vault copied to clipboard

Published 20 hours ago verified publisher icon hashicorp

Reloading k8s serviceaccount token dynamically

Open ghost opened this issue 1 year ago • 3 comments

Is your feature request related to a problem? Please describe. We are using the k8s auth method to authenticate a lot of different services against our vault instance. There are Java and Go applications. On one of our Go applications we just identified, that the token he used for the access was expired. The serviceaccount token should be automatically renewed by kubernetes itself and be remounted into the file. I assume and also the code looks like that, that the token will be read only once from the filesystem if the application starts. So there is no reload/watch of this file later on.

Describe the solution you'd like The client library should watch on the file and if it changes, it should be reloaded.

Describe alternatives you've considered An Workaround would be, to restart the container each time, before the token expires.

Additional context We are using the following code to initialize the vault client:

import (
	"context"
	"fmt"

	vault "github.com/hashicorp/vault/api"
	auth "github.com/hashicorp/vault/api/auth/kubernetes"
)

...

config := vault.DefaultConfig()
config.Address = "http://our-vault-instance:8200"

client, err := vault.NewClient(config)
if err != nil {
	return err
}

k8sAuth, err := auth.NewKubernetesAuth("our-policy")
if err != nil {
	return err
}

authInfo, err := client.Auth().Login(context.TODO(), k8sAuth)
if err != nil {
	return err
}
if authInfo == nil {
	return fmt.Errorf("no auth info was returned after login")
}

// use the client

our go.mod:

module ...

go 1.20

require (
	...
	github.com/hashicorp/vault v1.12.2
	github.com/hashicorp/vault-plugin-auth-kubernetes v0.14.0
	github.com/hashicorp/vault-plugin-secrets-kv v0.13.0
	github.com/hashicorp/vault/api v1.8.2
	github.com/hashicorp/vault/api/auth/kubernetes v0.3.0
	github.com/hashicorp/vault/sdk v0.6.1-0.20221102145943-1e9b0a1225c3
	...
)

ghost avatar Dec 13 '23 08:12 ghost

yea we need this feature too.

nia-potato avatar Dec 15 '23 05:12 nia-potato

FYI: I created this issue with a different account, which I just removed

florianrusch avatar Jan 03 '24 09:01 florianrusch

Another important argument for this: k8s is moving to time-bound tokens: https://github.com/kubernetes/enhancements/blob/master/keps/sig-auth/1205-bound-service-account-tokens/README.md#safe-rollout-of-time-bound-token

florianrusch-zf avatar May 14 '24 09:05 florianrusch-zf