|
Duplicate |
Team A
[ZBXNEXT-6726] Auto renew Hashicorp vault periodic service tokens Created: 2021 Jun 15 Updated: 2024 Nov 19 Resolved: 2024 Oct 23 |
|
| Status: | Closed |
| Project: | ZABBIX FEATURE REQUESTS |
| Component/s: | Server (S) |
| Affects Version/s: | 5.2.5, 5.4.1 |
| Fix Version/s: | 7.0.6rc1, 7.2.0beta1 |
| Type: | Change Request | Priority: | Minor |
| Reporter: | Kaspars Mednis | Assignee: | Sergejs Boidenko |
| Resolution: | Fixed | Votes: | 21 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||
| Team: | Team A |
||||
| Sprint: | S24-W40/41, S24-W42/43 | ||||
| Story Points: | 3 | ||||
| Description |
|
It is recommended to use periodic service tokens for long-running services However, these tokens expire and they need to be renewed periodically. Currently this is possible only outside of Zabbix using periodic cron job or other way. This puts token potentially under risk, because if cron job is used then the token must be stored in plain text file. https://learn.hashicorp.com/tutorials/vault/tokens#renew-service-tokens This is not a big problem for frontend, because the token is stored in the web configuration anyway. However, Zabbix server has possibility to use token from environment variable (which can be destroyed after Zabbix server start). Adding possibilty to auto renew the token used by Zabbix server would be nice. VaultTokenRenew=1h The only non-expiring token is the root token, but using root token for a service is bad practice. |
| Comments |
| Comment by patrik uytterhoeven [ 2022 Jun 13 ] |
|
hi, will this come in 6.2 or later ? really. looking forward as now we need to use root tokens to keep the connection longer then 1 day really not secure and thats a pitty |
| Comment by Dimitri Bellini [ 2022 Jun 13 ] |
|
Please add this feature! |
| Comment by John Koyle [ 2022 Oct 28 ] |
|
An alternative/easier approach may be to integrate with vault agent. Vault agent (with an approle authenticator) can auto-renew and auto-auth tokens and write them to a sink file. This would then only require the following Zabbix changes: VaultToken configuration modified to enable reading from a file: VaultToken=file:/path/to/sinkfile
and a new option: VaultTokenFrequency with a value set to how frequently the zabbix server should refresh the token used from the sink file. VaultTokenFrequency=3600 |
| Comment by Evgeny Semerikov [ 2023 Mar 02 ] |
|
Also will be nice to use approle and add to config few new params, like role-id and secret_id instead VaultToken with them Zabbix can automatically renew token after its expiration. |
| Comment by Karel Krýda [ 2023 Aug 31 ] |
|
We definitely need this functionality. It is not possible to manually renew the token every month. |
| Comment by Stefan Immelmann-Winter [ 2024 Jul 15 ] |
|
+ !!! |
| Comment by patrik uytterhoeven [ 2024 Jul 15 ] |
|
not ideal but for frontend i use the vault agent as workaround it will read token and write it into a file that frontend can read as was mentioned above
a permanent fix (integration between zabbix and vault )would be welcome
|
| Comment by Vladislavs Sokurenko [ 2024 Sep 19 ] |
|
Can we renew each time when new values are requests from vault ? |
| Comment by patrik uytterhoeven [ 2024 Sep 19 ] |
|
imho that would be a bit much i think it should be a configurable option so that the end user can choose how many times zabbix will do a toke update so that the refresh time is lower then the max token time |
| Comment by Kevin Daudt [ 2024 Sep 19 ] |
|
Alternatively Zabbix could request the token lifetime and refresh some period before expiry. https://developer.hashicorp.com/vault/api-docs/auth/token#lookup-a-token-self |
| Comment by patrik uytterhoeven [ 2024 Sep 19 ] |
|
nice indeed the better solution
|
| Comment by Kevin Daudt [ 2024 Sep 19 ] |
|
Another issue that needs to be considered is that there is also a time limit on how long a token can be refreshed. After that period has passed, a new token must be obtained. That means, depending on the specific auth method in use, either Zabbix itself would obtain a new token, or a new token should be able to be provided to Zabbix. |
| Comment by Sergejs Boidenko [ 2024 Oct 14 ] |
|
Available in versions:
|
| Comment by Marina Generalova [ 2024 Oct 21 ] |
|
Documentation updated:
|