Project

General

Profile

Vault » History » Version 2

Peter Amstutz, 02/12/2018 09:09 PM

1 1 Peter Amstutz
h1. Vault
2
3 2 Peter Amstutz
Going through the docs, a strawman proposal on how to use Vault from an Arvados container:
4 1 Peter Amstutz
5 2 Peter Amstutz
* Credentials are entered into Vault
6
* Client (arvados-cwl-runner?) generates a Vault token with restricted policy (can only read credentials)
7
* Container request is expanded to include Vault token
8
* Vault token cannot be read back from container request via API
9
* Cannot have container reuse with Vault tokens
10
* On the compute node, read the container record
11
* The container record only includes the vault token when queried by the container run token.
12 1 Peter Amstutz
* The container can now read the secret at the path provided in the input
13 2 Peter Amstutz
* When the container request is finalized, the Vault token is revoked.
14
15
Notes:
16
17
* Credentials may be passed in via environment, config file or command line like any other input, so it would be nice to generalize this as a CWL feature where some inputs are simply marked "sensitive" and automatically handled by Vault.  However, while arvados-cwl-runner is responsible for constructing the container request it doesn't run on the compute node, only crunch-run, which is "dumb", so its not clear how we go about allowing for arbitrary substitution into the environment, command line, or config file on the compute node.