Uploaded image for project: 'ZABBIX FEATURE REQUESTS'
  1. ZABBIX FEATURE REQUESTS
  2. ZBXNEXT-6726

Auto renew Hashicorp vault periodic service tokens

    XMLWordPrintable

Details

    • Change Request
    • Status: Open
    • Minor
    • Resolution: Unresolved
    • 5.2.5, 5.4.1
    • None
    • Server (S)
    • None

    Description

      It is recommended to use periodic service tokens for long-running services
      https://learn.hashicorp.com/tutorials/vault/tokens#periodic-service-tokens

      However, these tokens expire and they need to be renewed periodically. Currently this is possible only outside of Zabbix using periodic cron job or other way. This puts token potentially under risk, because if cron job is used then the token must be stored in plain text file.

      https://learn.hashicorp.com/tutorials/vault/tokens#renew-service-tokens

      This is not a big problem for frontend, because the token is stored in the web configuration anyway.

      However, Zabbix server has possibility to use token from environment variable (which can be destroyed after Zabbix server start).

      Adding possibilty to auto renew the token used by Zabbix server would be nice.
      New Zabbix server configuration parameter could solve this problem, by example

      VaultTokenRenew=1h
      

      The only non-expiring token is the root token, but using root token for a service is bad practice.

      Attachments

        Activity

          People

            wiper Andris Zeila
            kaspars.mednis Kaspars Mednis
            Votes:
            2 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated: