Secure AI API Key Rotation with Vault

Question

Pulumi · Accepted Answer

Rotating API keys regularly is a best practice for secure API management. This practice helps to minimize the risk of unauthorized access resulting from key leaks or unauthorized key usage. With HashiCorp Vault, you can automate API key rotation and tightly control access to secrets.

In the following Pulumi Python program, we are going to create a Vault instance and configure it to rotate API keys automatically. We will use the Vault provider for Pulumi, which allows us to manage Vault resources such as authentication backends, secrets backends, policies, etc.

The key components of this program are:
- `vault.AuthBackend`: This resource enables authentication methods in Vault. We'll configure a JWT (JSON Web Token) backend as it's commonly used for APIs.
- `vault.aws.SecretBackend`: This is a Vault secret backend for AWS, which generates AWS access credentials dynamically based on IAM policies.
- `vault.database.SecretsMount`: This resource enables Vault's database secrets engine, which can manage and rotate database credentials automatically.

Here's what the program will do:
1. Enable and configure a JWT authentication backend.
2. Set up an AWS secret backend to create and rotate AWS API keys.
3. Enable secrets engine for a hypothetical database and establish a rotation policy for its credentials.

Before you run this program, ensure that you have the Vault server up and configured, and that you’ve set the corresponding provider configuration for Pulumi.

Let's walk through the code now:

```python
import pulumi
import pulumi_vault as vault

# Enable a JWT auth backend in Vault
jwt_auth_backend = vault.jwt.AuthBackend("jwtAuthBackend",
    description="JWT Auth Backend",
    # The path to mount the JWT backend; defaults to the name of the resource.
    path="jwt",
    # Configuration options for the JWT backend.
    bound_issuer="example-issuer",
    jwks_url="https://example.com/.well-known/jwks.json",
    jwt_supported_algs=["RS256"],
)

# Set up an AWS secret backend in Vault
aws_secret_backend = vault.aws.SecretBackend("awsSecretBackend",
    description="AWS Secret Backend",
    path="aws",
    region="us-west-2",
    default_lease_ttl_seconds=3600,  # The default TTL for leases associated with secrets.
    max_lease_ttl_seconds=86400,  # Maximum possible lease duration for secrets in seconds.
)

# Enable a database secrets engine and configure automatic rotation
database_secrets_mount = vault.database.SecretsMount("databaseSecretsMount",
    path="database",
    description="Database Secrets Engine",
    local=True,
    seal_wrap=False,
    max_lease_ttl_seconds=3600,
    default_lease_ttl_seconds=600,
    # Configure the database connection and credentials rotation statement
    mysqls=[{
        "name": "mysql-database",
        "connection_url": "user:password@tcp(127.0.0.1:3306)/dbname",
        "allowed_roles": ["my-role"],
        "username": "vaulter",
        "password": pulumi.Output.secret("dbpassword"),
        # SQL statement to rotate the root user credentials
        "root_rotation_statements": ["ALTER USER '{{username}}'@'%' IDENTIFIED BY '{{password}}';"],
    }],
)

pulumi.export("jwt_auth_backend_path", jwt_auth_backend.path)
pulumi.export("aws_secret_backend_path", aws_secret_backend.path)
pulumi.export("database_secrets_mount_path", database_secrets_mount.path)
```

In this program, we first set up a JWT auth backend which allows for authentication using JWT tokens. The JWT tokens are validated using the provided issuer and JWKs endpoint.

Then we set up an AWS secret backend which, upon access, provides temporary AWS credentials based on IAM policies. This backend will handle the automatic rotation of access keys based on the lease durations configured (`default_lease_ttl_seconds` and `max_lease_ttl_seconds`).

Finally, we configure a database secrets engine that will manage and rotate database credentials. We specify the connection information and also provide a statement for root credential rotation.

The `pulumi.export` lines at the end of the program will output the paths where these services are mounted in Vault, which can be used to access them via the Vault API or CLI.

To get started with this Pulumi program:
1. Ensure you have Pulumi CLI installed and configured for use with Python.
2. Have Vault server running and accessible.
3. Install the Pulumi Vault provider by running `pip install pulumi_vault`.
4. Create a new directory for your Pulumi program, place the above Python code in a file named `__main__.py` in that directory.
5. Run `pulumi up` to create and deploy these Vault configurations.

After running the program, your Vault instance will have the specified auth backend and secret backends configured for API key rotation.