Vault KV for Credential Rotation in AI Workloads

Question

Pulumi · Accepted Answer

To manage secrets, such as API keys or credentials, in your AI workloads with rotation best practices, a tool like Vault can be incredibly useful. [HashiCorp Vault](https://www.vaultproject.io/) is a tool designed for securing, storing, and tightly controlling access to tokens, passwords, certificates, encryption keys for protecting secrets, and other sensitive data.

Vault offers Key/Value (KV) secrets engine, which allows you to securely store and manage sensitive information - the KV can be either version 1 for an unversioned KV store, or version 2 for a versioned KV store. Credential rotation can be facilitated by using the versioned KV (SecretBackendV2), where you have the ability to version, rotate, and expire secrets.

Below is a Pulumi program in Python that demonstrates how to set up a Vault KV secrets engine for credential rotation in AI workloads. We will use the `vault` Pulumi provider to create a Vault secret. For simplicity’s sake, we will focus on defining the secret, and assume that Vault is already deployed and properly configured.

```python
import pulumi
import pulumi_vault as vault

# Create a new Vault KV version 2 secret backend. This backend will store our secrets and support versioning and rotation.
kv_backend = vault.kv.SecretBackendV2("aiWorkloadKV",
    path="ai-workload",
    cas_required=True, # Check-and-set operation must be used on this backend
    max_versions=5, # Retain up to 5 versions of a secret before purging
)

# Define a secret with some fictional credentials
# Here we use the secret engine previously defined and add a secret to it.
# The data_json represents our sensitive data in serialized JSON format.
secret_credentials = vault.kv.SecretV2("aiCredentials",
    mount=kv_backend.mount,
    name="api-creds",
    data_json=pulumi.Output.secret("""{
        "api_key": "initial_secret_api_key_value",
        "api_secret": "initial_secret_api_secret_value"
    }"""),
)

# It's good practice to not hardcode secrets, but they could be loaded from a configuration file,
# environment variables, or generated dynamically.

# Export the secret's path in Vault
pulumi.export("secretPath", secret_credentials.id.apply(lambda id: f"{kv_backend.path}/data/{id}"))
```

In this Pulumi program, we:

1. Imported the necessary libraries (`pulumi` and `pulumi_vault`).
2. Created a Vault KV version 2 secret backend `SecretBackendV2` which is a mountable secret engine capable of versioning secrets.
3. Added a secret `SecretV2` to the backend with fictional API credentials in its data field, serialized as JSON. The `pulumi.Output.secret` is used to mark the JSON data as a secret, meaning Pulumi will treat it as sensitive material and avoid leaking it into plain text in state files or outputs.
4. Finally, we exported the path where the secret can be accessed within Vault. The `.apply` method is used to transform the `id` output into the necessary format─showing an example of how you can manipulate Pulumi outputs.

Credential rotation is not explicitly shown here because it typically involves orchestrating Vault with your application's lifecycle or using additional Vault features like dynamic secrets for databases. Credential rotation policies will require additional logic to replace or update secrets in Vault and potentially to signal or redeploy your AI workload with the new credentials.

For detailed guidance on using Vault with Pulumi, including setting up Vault itself if it's not already, refer to the Pulumi documentation on the [Vault provider](https://www.pulumi.com/registry/packages/vault/) and the [Vault project's extensive documentation](https://www.vaultproject.io/docs).