AI Pipeline Credential Rotation with SecretProviderClass

Question

Pulumi · Accepted Answer

Credential rotation is an important security practice, ensuring sensitive information like API keys, access tokens, or passwords are regularly changed to prevent unauthorized access in case they are compromised. In cloud-native environments, secrets are often managed and rotated using integrated secret management systems.

In the context of Kubernetes, a `SecretProviderClass` is a custom resource that enables the integration of external secret stores like Azure Key Vault, AWS Secrets Manager, or HashiCorp Vault with Kubernetes. It allows Kubernetes to automatically fetch secrets from these stores and inject them into pods at runtime.

To implement a pipeline for credential rotation with `SecretProviderClass`, the following steps are usually necessary:

1. **Secret Creation**: First, you have to create the secret in the external secrets store (e.g., AWS Secrets Manager, Azure Key Vault). These services typically offer built-in mechanisms to rotate the secrets according to specified policies.

2. **SecretProviderClass Configuration**: Then, you define a `SecretProviderClass` in your Kubernetes cluster to specify how these external secrets should be accessed and mapped into your pods.

3. **Pod Integration**: Finally, in your pod definition, you reference the `SecretProviderClass` to mount the secrets as volumes or inject them as environment variables.

I'll write a sample program using Pulumi to create an AWS Secret with rotation enabled and simulate the creation of a `SecretProviderClass`. AWS Secrets Manager supports native secret rotation by using a provided Lambda function. Please note that there isn't a native Pulumi resource for `SecretProviderClass` as it's a Kubernetes-specific concept and typically defined as a Kubernetes custom resource (CRD), but I'll show how to define it using the Pulumi Kubernetes provider.

```python
import pulumi
import pulumi_aws as aws
import pulumi_kubernetes as k8s

# Step 1: Create an AWS Secret.
# The secret in AWS Secrets Manager, with a specified rotation policy.
secret = aws.secretsmanager.Secret("my-secret",
    description="My secret",
    rotation_lambda_arn="arn:aws:lambda:region:acct-id:function:func-name",
    rotation_rules=aws.secretsmanager.SecretRotationRulesArgs(
        automatically_after_days=30,
    ))

# To rotate the secret, you'll need a Lambda function and permissions set up. This is not covered here,
# but AWS provides documentation on how to set up rotation using Lambda:
# https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotating-secrets-lambda-function-overview.html

# Step 2: Configure a SecretProviderClass using Pulumi Kubernetes provider.
# Note: The below Kubernetes configuration assumes that the CSI driver for the external secret store is already installed in the cluster.
# This is a manifest using Pulumi's Kubernetes provider, not a native Pulumi resource.

api_version = 'secrets-store.csi.x-k8s.io/v1'
kind = 'SecretProviderClass'

secret_provider_class_name = 'my-secret-provider-class'

# Define a SecretProviderClass
secret_provider_class = k8s.apiextensions.CustomResource(secret_provider_class_name,
    api_version=api_version,
    kind=kind,
    metadata=k8s.meta.v1.ObjectMetaArgs(
        name=secret_provider_class_name,
    ),
    other_fields={
        'spec': {
            'provider': 'aws',
            'parameters': {
                'secretId': secret.id,  # reference the ID of the secret created above
            },
        },
    })

# Export the secret ARN and SecretProviderClass name
pulumi.export('secret_arn', secret.arn)
pulumi.export('secret_provider_class_name', secret_provider_class.metadata['name'])
```

Here's what is happening in the Pulumi program:

- We begin by creating an AWS secret. We also define rotation rules for it, like the rotation frequency. The rotation function ARN is a placeholder and should be replaced with the ARN of a real Lambda function designed to rotate the secret.
- Next, we create a `SecretProviderClass` definition. It tells Kubernetes' CSI secret driver how to fetch the secret from AWS Secrets Manager and make it available to our applications.

Do note that the actual implementation of credential rotation requires additional setup, such as:

- A Lambda function that performs the rotation task, typically defined by the secret type or your custom logic.
- Proper IAM roles and policies to allow the Lambda function to change the AWS secret and potentially update related resources with the new credentials.
- If you're using the Kubernetes `SecretProviderClass`, you'll need the respective CSI driver installed in your Kubernetes cluster, and the application pods will need to be configured to use the secret store.

Remember that the above code primarily focuses on provisioning and connectivity setup, not the actual deployment into a Kubernetes environment. The use of specific details like Lambda ARN should be tailored to your AWS environment.

For in-depth details on these resources and their properties, you can refer to the Pulumi documentation:

- [aws.secretsmanager.Secret](https://www.pulumi.com/registry/packages/aws/api-docs/secretsmanager/secret/)
- [Using Pulumi Kubernetes provider to create CustomResources](https://www.pulumi.com/registry/packages/kubernetes/sdk/python/pulumi_kubernetes/apiextensions/CustomResource/)