Centralized Credential Rotation for AI Services with Vault

Question

Pulumi · Accepted Answer

Centralizing credential rotation for AI services using Vault involves creating a system where credentials such as passwords, API tokens, or SSL certificates can be dynamically managed and automatically rotated to enhance security. Using Vault, you can avoid hard-coded credentials in your services and ensure that sensitive information is stored securely, while also following the best practices for credential rotation.

In this program, we will demonstrate how to set up a secrets engine in HashiCorp Vault to manage and rotate credentials for a database automatically. For the purpose of this example, we will use a PostgreSQL database as our target; however, Vault supports various types of secrets engines for different databases and services.

We will perform the following steps in the Pulumi program:

1. **Vault Database Secrets Engine**: We'll configure the `SecretsMount` resource from Vault to manage the PostgreSQL database credentials. This resource will automatically rotate the database credentials.
   
2. **Vault Database Role**: We'll set up a `DatabaseRole` in Vault that defines the permissions and roles assigned to the dynamically generated credentials by Vault for PostgreSQL.

3. **Vault Policy**: Create a Vault policy that grants access to the database credentials path in Vault. This step is essential for defining which entities can read the dynamic credentials.

4. **Pulumi Exports**: Finally, output the Vault database secrets engine mount path, which can be used by your applications to retrieve dynamic credentials.

For this demonstration, I'm assuming that you have already initialized Vault, authenticated to it, and have the necessary permissions to create and configure secrets engines.

Here's the Pulumi program in Python that sets up centralized credential rotation for AI services using Vault:

```python
import pulumi
import pulumi_vault as vault

# Initialize the Database Secrets Engine for PostgreSQL
postgres_secrets_engine = vault.database.SecretsMount("postgres-secrets-engine",
    path="database",  # This is the path where the secrets engine will be accessible
    description="Manages PostgreSQL credentials",
    # Define the configuration for PostgreSQL
    postgresqls=[vault.database.SecretsMountPostgresqlsArgs(
        connection_url="postgresql://{{username}}:{{password}}@localhost:5432/database?sslmode=disable",
        name="postgres",
        # Roles that are allowed to access this secrets engine
        allowed_roles=["my-role"],
        # Define rotation settings for root credentials
        max_connection_lifetime=600,
        verify_connection=True,
    )]
)

# Define a Role for the Database Credentials
postgres_db_role = vault.database.SecretsMountRole("postgres-db-role",
    backend=postgres_secrets_engine.path,  # Reference to the secrets engine path
    name="my-role",
    # Define the SQL statements to execute to create and manage credentials
    db_name="postgres",
    creation_statements=["CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}';",
                         "GRANT SELECT ON ALL TABLES IN SCHEMA public TO \"{{name}}\";"],
    default_ttl="1h",
    max_ttl="24h",
)

# Define a Vault Policy for Accessing the Database Secrets
db_creds_policy = vault.Policy("db-creds-policy",
    name="db-creds-policy",
    policy=f"""
path "{postgres_secrets_engine.path}/creds/my-role" {{
    capabilities = ["read"]
}}
""")

# Export the database credentials path for application use
pulumi.export("db_creds_path", pulumi.Output.concat(postgres_secrets_engine.path, "/creds/my-role"))

```

Explanation of the program:

1. We begin by importing the necessary Pulumi modules for Vault.

2. In `postgres_secrets_engine`, we initialize the Vault Database Secrets Engine which will manage PostgreSQL credentials.

3. `postgres_db_role` defines a role that dictates how credentials are created. The `creation_statements` field contains SQL commands that Vault will execute to create dynamic credentials for PostgreSQL.

4. `db_creds_policy` creates a policy in Vault that specifies who can read credentials from the secrets engine path defined earlier.

5. Lastly, we export the database credentials path `db_creds_path`, so your application knows where to fetch dynamic credentials from Vault.

With this setup, your AI services can retrieve database credentials from the Vault dynamically, and Vault will handle the management and rotation of the credentials. It provides a more secure and automated approach to credential management compared to static, long-lived credentials.