Add support for vault

[jwerak]

IMO https://www.vaultproject.io/ is perfect match for this tool.

[jjmason]

Providing an open standard for secrets managers like Vault and Conjur is a primary goal of this project (it evolved from a Conjur specific tool).

The prerequisite is to add a feature where summon can periodically check to see if a secret's value has changed, and if so restart the child process with the new value. This is because vault secrets come with a lease period, after which the secret's value is no longer guaranteed to be valid.

This would be a win for the Conjur provider as well, so it's definitely on the roadmap.

[jwerak]

I am really glad to hear that. I have chilly feeling you are on the right track 👍

[kgilpin]

tl;dr I think Summon should periodically poll the provider to see if the secrets have changed. The polling frequency could be a CLI invocation option, or an option somehow indicated in secrets.yml?

Lease times are interesting but there's also a very simple way to detect when a process restart is needed: just poll the secrets provider periodically to see if the secret value has changed or not. If any secrets have changed, restart the process. If not, leave it alone.

I don't think that Vault's lease time actually negates the need for polling (or otherwise checking that a secret has changed). Consider the following scenario: a secret is created with a lease time of 2 days. Then, a few hours later, it's discovered that the secret has possibly been compromised and must be rotated. Therefore, the "2 day" secret is invalidated before the lease time, a new value is available, and the child process must be restarted. Summon must not wait 2 days before checking with Vault, regardless of the lease time.

A lease time of 2 days doesn't mean "you can wait two days before refreshing the secret". It means, "you must not wait longer than 2 days before checking if the secret has changed". However, a rather long service interruption could occur.

[kgilpin]

PS Conjur supports arbitrary annotations (metadata) on secrets (variables); this facility can certainly be used to indicate lease time as well.

[drpebcak]

+1 on this. It would be awesome to use Vault as a provider for this.

[razor-1]

Vault also supports 'dynamic' backends, such as for AWS IAM roles. In this case, vault returns both the access and secret keys from AWS at the same time. So summon may need a way to get more than one value from a provider.

[dustinmm80]

Do people still want this?

[daghoidahl]

I still would like this feature. I currently don't use either Conjur or Vault, but the combination sounds sweet.

[dustinmm80]

Yeah, makes sense. The tough part is that Conjur and Vault have a few overlapping features so most people seem to use one of the other, not both. Conjur has a vault too; that is a side effect of machine identity, like SSH management or traffic authorization. Conjur is effectively a superset of Vault.

I think this is why the issue has been open for so long, because the integration path is unclear. Very open to suggestions though!

[slimm609]

Summon doesn't require conjur in order to function. We use summon without conjur (summon-s3 and summon-file extensions). So IMO it would just be an alternative to conjur, just like the extensions are.

[stanislavbebej]

I agree with @slimm609. I don't consider summon to be a part of conjur even though cyberark maintains both projects. I consider it to be an interface to a vault in general - be it conjur, s3, hashicorp vault etc. I too would really like to see a summon-vault provider.

[PeteW]

(disclaimer: I'm a beginner with vault)
It seems the basic KV engine (version 1 or 2) has great value in and of itself and is easy to implement as a summon provider.

If you agree try this custom KV provider.

Perhaps in the near future I can expand on it as need arises.