vault agent enforce auto auth token

Created on 9 Dec 2019 · 4Comments · Source: hashicorp/vault

Is your feature request related to a problem? Please describe.
We have many application based on Spring Vault Cloud 1.1.3. We want to migrate to kubernetes and use Vault Agent Caching as 'sidecar' container.
But as we know:

For Spring Vault Cloud, a Vault token is mandatory. We can't set empty token.
For Vault agent caching. If the requests already bear a token, this configuration will be overridden and the token in the request will be used to forward the request to the Vault server.
https://www.vaultproject.io/docs/agent/caching/index.html#configuration-cache-

We want make sure the requests made to vault agent will be always forwarded to the Vault server with the auto-auth token attached.

Describe the solution you'd like
Could we provide new configuration flag, like use_auto_auth_token_enforce?

coragent

Source

lcgkm

Most helpful comment

It feels like the right solution is to instead patch Spring Vault to allow an empty token.

jefferai on 9 Dec 2019

👍2 👎1

All 4 comments

It feels like the right solution is to instead patch Spring Vault to allow an empty token.

jefferai on 9 Dec 2019

👍2 👎1

Hi @jefferai ,
Spring Vault will be coupled with source code. And vault agent is 'sidecar' component.
So, we think patch vault agent is more easier.

PS. In my option, Spring Vault 1.x is too old, nobody will patch it.

lcgkm on 9 Dec 2019

Looking at Spring Vault codebase, it would be a very difficult patch given that the internal notion of VaultToken is being carried all throughout the code, so adding a multitude of checks for if vaultToken == null would be a bit rough. ;)
It also does not help with any other frameworks which might, or might not, also have the same expectation of always expecting a vault token to be present.

Looking at the vault agent codebase it "appears" that the fix could be relatively simple.