Centralized Credential Management for AI Services with Vault

Question

Pulumi · Accepted Answer

Centralized credential management plays a crucial role in maintaining a secure and efficient infrastructure. For managing credentials and secrets, HashiCorp Vault is a widely-used tool that provides secure secret storage and tight access control. Managing AI services often involves handling various sensitive tokens, passwords, and API keys, which is why integrating Vault can be beneficial.

In this Pulumi Python program, we will configure a Vault server and enable the Kubernetes authentication method (assuming that your AI services may run on Kubernetes). This will allow the services to authenticate with Vault using their Kubernetes Service Account Tokens and fetch the secrets they need.

Below are the steps we will follow in the program:

1. Set up the Vault server.
2. Enable Kubernetes authentication on Vault.
3. Configure roles associated with Kubernetes service accounts. These roles dictate which secrets a service can access based on its service account.
4. Create a secret in Vault which our services can securely access.

Let's start with the Python program:

```python
import pulumi
import pulumi_vault as vault

# Create a Vault server (this would typically be a more complex setup, possibly involving
# the Vault Helm chart for Kubernetes or a managed Vault service).
vault_server = vault.Server("vaultServer", {})

# Enable the Kubernetes authentication backend in Vault.
k8s_auth = vault.AuthBackend("kubernetesAuth",
    type="kubernetes",
    description="Kubernetes auth backend")

# Define a role for the Kubernetes service account.
# The bound_service_account_namespaces and bound_service_account_names indicate which
# Kubernetes service accounts can authenticate based on this role.
k8s_role = vault.KubernetesRole("exampleServiceK8sRole",
    backend=k8s_auth.path,
    role_name="example-service-account-role",
    bound_service_account_names=["example-service-account"],
    bound_service_account_namespaces=["default"],
    policies=["default"],  # List the names of policies to associate with this role.
    ttl="24h")

# Define a secret in Vault.
example_secret = vault.GenericSecret("exampleSecret",
    path="secret/data/ai_service_credentials",
    data_json="""{
        "api_key": "supersecretapikey",
        "password": "mysecretpassword"
    }""")

# Export the address of the Vault server.
pulumi.export("vault_address", vault_server.address)
# Export the path at which Kubernetes auth is enabled in Vault.
pulumi.export("k8s_auth_path", k8s_auth.path)

```

In this program:
- We've provisioned a Vault server (`vault.Server`). In a real-world scenario, you might be deploying Vault to a Kubernetes cluster, initializing it, and unsealing it.
- The Kubernetes auth backend (`vault.AuthBackend`) is then enabled, which allows Kubernetes pods to authenticate with Vault using their service account tokens.
- We then create a role (`vault.KubernetesRole`) specifically for a Kubernetes service account, indicating what policies are assigned and the token's time-to-live (TTL).
- A generic secret (`vault.GenericSecret`) is created in Vault with dummy values. In real usage, this would be the sensitive information your AI services need.
- We exported the address of the Vault server and the path where the Kubernetes authentication is enabled.

Please replace the values such as `backend`, `bound_service_account_names`, `bound_service_account_namespaces`, and `data_json` with actual values that match your Kubernetes environment and the secrets you want to store.

This Pulumi program creates the necessary Vault configuration to manage the access of AI services to their credentials securely. The AI services running on Kubernetes can authenticate using their service accounts and fetch the credentials they need to operate—this setup helps centralize and secure secret management across your services.