AI Workload Identity and Access with Vault

Question

Pulumi · Accepted Answer

Integrating workload identity and access management with HashiCorp Vault requires setting up Vault to handle authentication and authorization for your resources within a cloud environment. Vault can integrate with multiple cloud providers like AWS, GCP, and Azure, and it allows you to centrally manage and enforce access policies.

Here is a Pulumi Python program that demonstrates how to create a Vault AWS Auth backend, which will be used to whitelist IAM entities for authentication. This backend allows AWS IAM principals to authenticate with Vault.

The program will do the following:
- Create a Vault Auth Backend for AWS. This will set up Vault to handle AWS IAM authentication.
- Configure a whitelist identity, which specifies the lifetimes of the tokens and how often the list of authorized entities will be tidied.

Please note, this program assumes that you have Vault installed and properly configured in your environment. Also, it assumes you have `pulumi_vault` installed in the Python environment where you run this program.

```python
import pulumi
import pulumi_vault as vault

# Create an AWS Auth Backend in Vault
aws_auth_backend = vault.aws.AuthBackend("aws-auth-backend",
    # This path is where you will access the backend,
    # for example to login via the AWS IAM method you would perform a POST request to auth/aws/login.
    path="aws",
)

# Configure the AWS Auth Backend identity whitelist 
# This feature maintains a whitelist of IAM principal ARNs that are allowed to authenticate to Vault.
aws_auth_backend_identity_whitelist = vault.aws.AuthBackendIdentityWhitelist("aws-auth-whitelist",
    backend=aws_auth_backend.path,
    safety_buffer=3600, # Time in seconds to buffer the periodic tidying.
    disable_periodic_tidy=False
)

# Export the path of the AWS auth backend
pulumi.export("aws_auth_backend_path", aws_auth_backend.path)
```

In the above code:
- We create an AWS authentication backend using Vault by specifying the path as "aws". This path is where you will access the backend, for example, you would POST to `auth/aws/login` to authenticate using the AWS IAM method.
- We then create an identity whitelist for this backend. The identity whitelist keeps a list of IAM principal ARNs (Amazon Resource Names) allowed to authenticate with Vault. We set a safety buffer, which is the time before the tokens' actual expiration during which they cannot be used for authentication, and we allow Vault to periodically tidy the list, cleaning up expired credentials.

Each of these resources is defined using their corresponding Pulumi Vault components as seen in the `pulumi_vault` module. You can read more in-depth about each of these components in the official Pulumi Vault provider documentation:

- [vault.aws.AuthBackend](https://www.pulumi.com/registry/packages/vault/api-docs/aws/authbackend/)
- [vault.aws.AuthBackendIdentityWhitelist](https://www.pulumi.com/registry/packages/vault/api-docs/aws/authbackendidentitywhitelist/)

Remember to replace the `pulumi_vault` module with the specific Pulumi provider for your cloud (e.g., `pulumi_aws`, `pulumi_gcp`) and import it accordingly at the top of your program if you are working with a different cloud provider.