I'm automating the provisioning of a VM in a keberized environment. After the new server is created it needs to join a network. For this, I need to login to the kerberos server using kinit and then use net ads join.
the challenge for me is where do I store the principal's password that I need to pass to the kinit and how do I retrieve it securely. Of course the requirement is that the automation program must be the only one that can retrieve the password from where ever it is stored. Options I've considered so far: 1) I already know the option of storing the password in a vault(Hashicorp, Cyber Ark etc.,), but it takes too long to implement/manage and then it's expensive. 2) Store the encrypted password in another VM(within the same private network) in an environment variable and at runtime ssh into that VM and get the password, decrypt it, and then scp it over to the newly created VM.
Do any of the security experts here see issues with (2)? If yes, what are those? What other options do exist, if any?
Thanks in advance