Centralized Credential Rotation for AI Services with Vault
PythonCentralizing credential rotation for AI services using Vault involves creating a system where credentials such as passwords, API tokens, or SSL certificates can be dynamically managed and automatically rotated to enhance security. Using Vault, you can avoid hard-coded credentials in your services and ensure that sensitive information is stored securely, while also following the best practices for credential rotation.
In this program, we will demonstrate how to set up a secrets engine in HashiCorp Vault to manage and rotate credentials for a database automatically. For the purpose of this example, we will use a PostgreSQL database as our target; however, Vault supports various types of secrets engines for different databases and services.
We will perform the following steps in the Pulumi program:
-
Vault Database Secrets Engine: We'll configure the
SecretsMount
resource from Vault to manage the PostgreSQL database credentials. This resource will automatically rotate the database credentials. -
Vault Database Role: We'll set up a
DatabaseRole
in Vault that defines the permissions and roles assigned to the dynamically generated credentials by Vault for PostgreSQL. -
Vault Policy: Create a Vault policy that grants access to the database credentials path in Vault. This step is essential for defining which entities can read the dynamic credentials.
-
Pulumi Exports: Finally, output the Vault database secrets engine mount path, which can be used by your applications to retrieve dynamic credentials.
For this demonstration, I'm assuming that you have already initialized Vault, authenticated to it, and have the necessary permissions to create and configure secrets engines.
Here's the Pulumi program in Python that sets up centralized credential rotation for AI services using Vault:
import pulumi import pulumi_vault as vault # Initialize the Database Secrets Engine for PostgreSQL postgres_secrets_engine = vault.database.SecretsMount("postgres-secrets-engine", path="database", # This is the path where the secrets engine will be accessible description="Manages PostgreSQL credentials", # Define the configuration for PostgreSQL postgresqls=[vault.database.SecretsMountPostgresqlsArgs( connection_url="postgresql://{{username}}:{{password}}@localhost:5432/database?sslmode=disable", name="postgres", # Roles that are allowed to access this secrets engine allowed_roles=["my-role"], # Define rotation settings for root credentials max_connection_lifetime=600, verify_connection=True, )] ) # Define a Role for the Database Credentials postgres_db_role = vault.database.SecretsMountRole("postgres-db-role", backend=postgres_secrets_engine.path, # Reference to the secrets engine path name="my-role", # Define the SQL statements to execute to create and manage credentials db_name="postgres", creation_statements=["CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}';", "GRANT SELECT ON ALL TABLES IN SCHEMA public TO \"{{name}}\";"], default_ttl="1h", max_ttl="24h", ) # Define a Vault Policy for Accessing the Database Secrets db_creds_policy = vault.Policy("db-creds-policy", name="db-creds-policy", policy=f""" path "{postgres_secrets_engine.path}/creds/my-role" {{ capabilities = ["read"] }} """) # Export the database credentials path for application use pulumi.export("db_creds_path", pulumi.Output.concat(postgres_secrets_engine.path, "/creds/my-role"))
Explanation of the program:
-
We begin by importing the necessary Pulumi modules for Vault.
-
In
postgres_secrets_engine
, we initialize the Vault Database Secrets Engine which will manage PostgreSQL credentials. -
postgres_db_role
defines a role that dictates how credentials are created. Thecreation_statements
field contains SQL commands that Vault will execute to create dynamic credentials for PostgreSQL. -
db_creds_policy
creates a policy in Vault that specifies who can read credentials from the secrets engine path defined earlier. -
Lastly, we export the database credentials path
db_creds_path
, so your application knows where to fetch dynamic credentials from Vault.
With this setup, your AI services can retrieve database credentials from the Vault dynamically, and Vault will handle the management and rotation of the credentials. It provides a more secure and automated approach to credential management compared to static, long-lived credentials.
-