Credentials Management for AI-Powered Applications with Vault

Question

Pulumi · Accepted Answer

HashiCorp Vault is an identity-based secrets and encryption management system. It provides a secure centralized platform for credential management, allowing you to manage access to various systems, applications, and environments. In the context of AI-powered applications that may require access to sensitive data or resources, Vault can be used to properly manage and rotate credentials, API keys, and other secrets.

In this Pulumi program, we'll use the `pulumi_vault` package to manage credentials for AI applications. We will specifically:

1. Set up a Vault server where our secrets will be stored.
2. Write secrets to Vault for use in an AI application.
3. Define a policy in Vault that specifies who can access these secrets.
4. Create a role that associates the set of permissions in our defined policy.

For simplicity, I'll assume that you have Vault installed and properly configured. This Pulumi program doesn't cover setting up Vault itself, but focuses on how to use Pulumi to interact with an existing Vault server.

Here's how we can do it:

```python
import pulumi
import pulumi_vault as vault

# Initialize the Vault provider.
vault_provider = vault.Provider('vault-provider', address='http://127.0.0.1:8200', token='your-vault-token')

# Write a secret to Vault for the AI application.
ai_app_secret = vault.GenericSecret('ai-app-secret',
    path='secret/data/ai-app',
    data_json={
        'api_key': 'sensitive-api-key',
        'db_password': 'sensitive-db-password',
    },
    opts=pulumi.ResourceOptions(provider=vault_provider))

# Define a Vault policy with permissions for the AI application.
ai_app_policy = vault.Policy('ai-app-policy',
    name='ai-app-policy',
    policy="""
    path "secret/data/ai-app" {
        capabilities = ["read"]
    }
    """,
    opts=pulumi.ResourceOptions(provider=vault_provider))

# Create an AppRole with the policy defined above.
ai_app_role = vault.AppRole('ai-app-role',
    role_name='ai-app-role',
    token_policies=['ai-app-policy'],
    opts=pulumi.ResourceOptions(provider=vault_provider))

# Export the role_id and secret_id of the AppRole which you can use to authenticate.
role_id = pulumi.Output.secret(ai_app_role.role_id)
secret_id = pulumi.Output.secret(ai_app_role.secret_id)

pulumi.export('role_id', role_id)
pulumi.export('secret_id', secret_id)
```

This program does the following:

- Initializes the Vault provider, pointing to a local Vault server and using a specified token. Be sure to replace `'your-vault-token'` with an actual token from your Vault environment.
- Creates a secret at the specified path with a JSON payload. Replace `'sensitive-api-key'` and `'sensitive-db-password'` with the actual secrets you want to manage for your AI application.
- Sets up a policy that grants read access to the AI application at the path where the secret is stored.
- Defines an AppRole tied to the policy that allows entities with this role to authenticate and retrieve the token.
- Exports the `role_id` and `secret_id` securely so that you can use them in your CI/CD pipeline or application code to authenticate with Vault and access the secrets.

Make sure to handle `role_id` and `secret_id` with care as they grant access to your secrets.

With this setup, your AI application can authenticate with Vault using the AppRole, read the secrets it needs, and operate securely without hardcoding any credentials in the codebase.