Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Is there any caching for Terraform child tokens, or for tokens created through approle/login? #37

Open
ilyaaxenov opened this issue May 8, 2024 · 2 comments
Labels
bug Something isn't working

Comments

@ilyaaxenov
Copy link

Hello. I am using the vault-provider (v0.4.0) to manage approximately 1000 resources for Vault. In ProviderConfig, I use authentication through approle. Its role allows generate tokens with a TTL of 30 minutes.

I've noticed that the number of tokens/leases in my Vault has significantly increased. There are about 12 thousand of them. Then, I added skip_child_token: true to the ProviderConfig. The number of tokens decreased by half. But 5 thousand leases, which are still growing, are also unpleasant. It seems like I should use a static token for ProviderConfig authorization and enable skip_child_token at the same time to avoid cluttering the Vault with an excessive number of leases?

How does it work internally? To me, it seems like the token from approle and the child token for Terraform are recreated every time the Vault provider needs to refresh/view the resources it maintains. Is that the case? Is there a possibility to enable caching for the provider so that it could reuse, for example, child tokens or approle tokens?

@ilyaaxenov ilyaaxenov added the bug Something isn't working label May 8, 2024
@jaylevin
Copy link
Contributor

I am also experiencing the same issue and have the same question.

@m1so
Copy link
Contributor

m1so commented Nov 8, 2024

based on my limited understanding, the provider creates a new Terraform client/CLI invocation for each reconciliation and doesn't use any sort of caching or lease renewal internally

I'd recommend using External Secrets (or Vault Secret Operator) together with Kubernetes auth method and "project" the Vault token into a Kubernetes Secret for the provider to read (for example via /auth/token/lookup-self endpoint). This way you're maintaining or recreating 1-2 leases at most (e.g. have a dedicated role set up for Kubernetes auth method with token TTL of 60 minutes and ESO generated secret that is refreshed every 50 minutes)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests

3 participants