I am using approle
authentication type which takes in role-id
and secret-id
along with root token
in the header to generate a client token
which can further be used as an auth token
in the header to create and retrieve secrets. This is what happens internally when using spring cloud vault I guess. Correct me if I'm wrong.
Now, I need to rotate my secret-id for every 30 days and the client token for every 24 hours. How do I achieve this? Does spring cloud vault provides an inbuilt library to do this? If not where should I make the changes?
You need to do the equivalent of a
vault write -f auth/approle/role/my-role/secret-id
to get a new secret id. Where you do this is where it gets interesting...I assume you already have a Vault policy that allows you to generate a new secret_id. Make sure that the
role_name
parameter is fixed to your application current role. Chances are you will want to limit the metadata, too.I would suggest this pattern:
Now in your application, you must have a periodic task that looks up the latest secret id and reauthenticates to Vault with it.
If possible, I would suggest that you avoid the problem altogether and use the authentication method provided the platform your are on, it Vault supports it, like GCP, AWS or Kubernetes.