I think there would be value in there being a Proxmox secrets plugin for Hashicorp's Vault.
To understand what this feature would do, I am going to use the AWS secrets plugin as an example. The Proxmox feature would work the same way structurally. Vault is a secure storage system for credentials of various types for APIs. Rather than keeping API keys in files on a server drive, in environment variables, or (gasp) hard coded in software, one saves the API credential to a location in Vault. The application then authenticates to Vault using one of the many authentication methods and recieves the API credential to then use in requests to the API. This is all fully supported today with Vault and Proxmox as-is. You just create a token and save it to vault and configure an application to interact with vault to get the credential. However, this paradigm still potentially leaves a long-term token outside of the confines of Vault. Through memory forensics and/or reverse engineering on the server running the application, that API key can potentially be recovered, stolen, and used elsewhere surreptitiously.
The type of secrets plugin for AWS performs a few extra steps. The admin creates a special AWS credential that has the correct privileges for creating more AWS API credentials. This master credential only exists safely inside of Vault. The AWS secrets plugin, when accessed by an application outside Vault, performs the steps with the AWS API using the stored master credential to create a short lived token with just the permissions needed for the application. The application would be aware of the TTL on the token, and include appropriate functionality to renew or be reissued a fresh credential when needed. This means a compromised application server may not provide valid credentials at all. The following is a link that describes the AWS secrets plugin:
https://developer.hashicorp.com/vault/docs/secrets/aws
I can see in the API documentation what seems to be all the API capabilities needed to support this plugin already. Please correct me if I am wrong:
https://pve.proxmox.com/pve-docs/api-viewer/index.html#/access/users/{userid}/token/{tokenid}
Via a master token, saved to Vault, a Proxmox secrets plugin would use that token to generate a new token with specific permissions and an expiration time in seconds.
The missing piece is the Vault plugin, which would need to be written in Go according to their plugin architecture:
https://developer.hashicorp.com/vault/docs/plugins
There are a few ways to go about this. First, Hashicorp could be lobbied to write an official plugin. Proxmox could be lobbied to write and maintain the plugin. Or some one or more of us in the community could write it and release it to Github. The various plugins that are available today in these different categories are listed here:
https://developer.hashicorp.com/vault/docs/plugins/plugin-portal
What do you all think about this?
To understand what this feature would do, I am going to use the AWS secrets plugin as an example. The Proxmox feature would work the same way structurally. Vault is a secure storage system for credentials of various types for APIs. Rather than keeping API keys in files on a server drive, in environment variables, or (gasp) hard coded in software, one saves the API credential to a location in Vault. The application then authenticates to Vault using one of the many authentication methods and recieves the API credential to then use in requests to the API. This is all fully supported today with Vault and Proxmox as-is. You just create a token and save it to vault and configure an application to interact with vault to get the credential. However, this paradigm still potentially leaves a long-term token outside of the confines of Vault. Through memory forensics and/or reverse engineering on the server running the application, that API key can potentially be recovered, stolen, and used elsewhere surreptitiously.
The type of secrets plugin for AWS performs a few extra steps. The admin creates a special AWS credential that has the correct privileges for creating more AWS API credentials. This master credential only exists safely inside of Vault. The AWS secrets plugin, when accessed by an application outside Vault, performs the steps with the AWS API using the stored master credential to create a short lived token with just the permissions needed for the application. The application would be aware of the TTL on the token, and include appropriate functionality to renew or be reissued a fresh credential when needed. This means a compromised application server may not provide valid credentials at all. The following is a link that describes the AWS secrets plugin:
https://developer.hashicorp.com/vault/docs/secrets/aws
I can see in the API documentation what seems to be all the API capabilities needed to support this plugin already. Please correct me if I am wrong:
https://pve.proxmox.com/pve-docs/api-viewer/index.html#/access/users/{userid}/token/{tokenid}
Via a master token, saved to Vault, a Proxmox secrets plugin would use that token to generate a new token with specific permissions and an expiration time in seconds.
The missing piece is the Vault plugin, which would need to be written in Go according to their plugin architecture:
https://developer.hashicorp.com/vault/docs/plugins
There are a few ways to go about this. First, Hashicorp could be lobbied to write an official plugin. Proxmox could be lobbied to write and maintain the plugin. Or some one or more of us in the community could write it and release it to Github. The various plugins that are available today in these different categories are listed here:
https://developer.hashicorp.com/vault/docs/plugins/plugin-portal
What do you all think about this?
Last edited:
