Dynamic Credentials?

[TJM]

We have a need to use dynamic credentials (example: TTL: 1h; MAX_TTL: 24h) in a nodejs application. This library appear to provide access to static credentials, but it does not appear to support dynamic credentials. Please correct me if I am wrong (as I am certainly not a developer)...

• After authentication, the authentication token does not appear to be "handled" (lease renewal) automatically.
• Reading credential tokens also does not appear to pay attention to the leases.

If the authentication token or credential lease is not maintained, then Vault will revoke the credentials to the leased credential, in this case MongoDB.

Additionally, when we hit the "max" TTL, the authentication credential will need to be replaced, and there didn't appear to be any sort of "callback" mechanism to notify the rest of the application (db pool?)

Thanks,
Tommy

[aviadhahami]

Hi @TJM - feel free to PR this :D

[TJM]

;) For now, we are using Vault Agent (injector) and writing the credentials to a file in tmpfs, which is read by the node app whenever it needs to authenticate. I feel like the integration could still be made better, but its their app :)

[aviadhahami]

Hey @TJM
not sure wdym; do u mind elaborating?

[TJM]

@aviadhahami - Instead of using this SDK to integrate to vault directly, we are using Vault Agent as a sidecar container, which handles the authentication (kube auth) and maintaining the lease for that token and the lease for the mongoDB credentials. The Vault Agent just places the credentials into a "file" (creds.json), which the node app picks up whenever it needs to authenticate. It also has a (try/catch?) to re-read the file and re-authenticate when there is an error, which handles when the credentials are forcefully cycled every N days.

[aviadhahami]

To ensure I understand, you'd like this lib to handle credential rotations throughout its lifespan. is this correct?

[TJM]

Yes, we would like this SDK to handle dynamic credentials. Right now it handles static credentials, but not dynamic ones. The Vault agent solution is a workaround.

Here is an example of the vault setup: https://developer.hashicorp.com/vault/tutorials/db-credentials/database-secrets

... admittedly we are using Atlas MongoDB, but for the purposes of the vault SDK, the type of credential doesn't matter much.

In this tutorial setup, the application logs in and retrieves a database password (GET /database/creds/readonly). That works and this SDK handles that fine, but after 1h, those credentials will be expired, unless the application renews the lease for the credential. Usually, the lease would be renewed at about 75-85% of its expiration(~45-51m). That will keep the current set of credentials from being expired by the Vault server. After 23 hours, it would be approaching the "max_ttl" value of 24h, so when it tries to renew the lease it will get a "warning" from Vault saying that it could not renew for an hour, and letting it know the remaining time...

Example:

• lease time (default_ttl): 60m
• max lease time (max_ttl): 24h (1440m)
• Renew every 48m (80%)
• renewals would happen at approximately: 48m, 96m, 144m, ..., 1392m, 1440m(*)

Now, as we all know, it will not possibly come out exact like that. Each renewal request will take some time, and there should probably be a little bit of randomness sprinkled in to prevent a "thundering herd" on renewals, but on the last renewal when there is not 60m left of available TTL, it will renew up to the max_ttl and return a warning that it could not renew the lease for the full time, and tell how long it is valid for. At this point, it should retrieve a new credential by re-issuing the GET request for the credentials and starting the whole process again. Ideally, there will be a small amount of overlap when both sets of credentials are valid, and the SDK can offer a mechanism to do a "callback" (?) to let the application know that it needs to reconnect to the database (refresh the pool, whatever).

Additionally, this same functionality will need to be used to maintain the "token" which is returned after authentication. It also has a lease, and if that token expires, all credentials associated to it will also expire.

I would highly recommend taking a look at the vault agent code. I know its not the same language, but it already does this, and can offer an algorithm at least. Additionally, they probably are aware of things that I did not cover above. :)

~tommy

[aviadhahami]

Hey @TJM !
I understand the issue better now - thx for the explanation

I do have limited amount of time tho, so I am not sure when I'll be able to attend this
Please feel free to start a draft PR and I'll join your efforts 🙇‍♂️