Secure Model Training Credentials with Vault Token Authentication

Question

Pulumi · Accepted Answer

To secure model training credentials with Vault using Pulumi, you will use Vault's token authentication method. This allows clients to authenticate with Vault using a token, which can be tailored to specific policies and privileges, restricting access to sensitive data.

Here's how you would set up Vault token authentication with Pulumi:

1. **Vault Token Auth Backend Role**: This resource will define a role that applications or services can assume. It includes settings regarding the tokens issued under this role, such as the TTL (Time To Live), renewal capabilities, and associated policies.

2. **Vault Token**: This resource will generate a token. Depending on the role's permissions, this token can be used to authenticate and interact with Vault's backend, allowing you to securely store and fetch your model training credentials.

Let's go through the concrete steps of setting up a Vault Token role and generating a token, with Pulumi and the Vault provider. Here's what the program looks like:

```python
import pulumi
import pulumi_vault as vault

# Create a Vault Auth Backend Role for token authentication
auth_backend_role = vault.tokenauth.AuthBackendRole("modelTrainingRole",
    token_ttl=3600,  # The TTL for the token is set to 1 hour (3600 seconds)
    token_max_ttl=7200, # The maximum allowed TTL for the token is set to 2 hours (7200 seconds)
    token_policies=["my-policy"], # Assign a policy which decides the permissions of the token
    token_bound_cidrs=["0.0.0.0/0"], # Bound CIDRs that can use the tokens under this role (Here: Allow all IPs)
    token_num_uses=5, # The number of times a single token can be used
    renewable=True  # Tokens can be renewed
)

# Generate a token based on the Auth Backend Role
token = vault.Token("modelTrainingToken",
    policies=["my-policy"], # Policies that the token will be associated with
    ttl="1h", # The TTL for the token
    renewable=True, # Token can be renewed
    role_name=auth_backend_role.name # Associate this token with the previously created role
)

# Export the token's ID so it can be used to authenticate requests
pulumi.export("authTokenId", token.id)
```

In this program:

- We create an auth backend role using `vault.tokenauth.AuthBackendRole` specifying parameters such as the TTL, associated policies, allowed CIDRs, renewable status, and usage limit.
- We then generate a token based on this auth backend role with `vault.Token`. The token inherits the properties of the role.
- Finally, we export the token ID to use it outside of Pulumi.

To use this setup in your model training process, you would need to retrieve this token and use it to authenticate your requests to Vault. You would typically fetch the token as part of your application's bootstrap process and then use Vault's APIs to read the credentials you need for model training.

Please make sure you have the proper permissions and policies set up in Vault to create roles and tokens, and that the Pulumi Vault provider is configured correctly with the necessary authentication details.