[FEATURE] Agent Pool Secrets

[stuartpurgavie]

Agent Pool Secrets

Introduction

Hello,

Looking for a way to dynamically generate and revoke TFE/TFC Agent Pool tokens. Client is wary of static secrets and I'm having to build my own appliance to interact with a KVv2 store and do the rotation. However, this seems like the sort of thing that Vault is purpose-built to handle. Additionally, the token type required to mint Agent Pool tokens is not least-privilege and cannot be farmed out to platform tenants.

This would enable:

• Unique key per agent, just-in-time provisioning, tightly scoped TTLs
• Bring-your-own-Agent pattern (instead of TFE/TFC platform teams owning agent infrastructure, this could allow them to safely farm out agent infrastructure management and costs to tenants, assuming Agent Pools are assigned per-tenant)

Minimum Requirements

At a high level, this will need to:

• Create Agent Pool tokens based on Agent Pool ID.
  • Optionally, allow the role to define a description for the token, ideally implementing the username template system for ease of audit log searches and identification in TFE/TFC Web UI. This would be an administrative approach.
  • Optionally, allow the user to provide a description for the token at time of request, providing details of the calling system at user discretion. This would be an opt-in approach.
• Track the ID of the returned token (as part of a lease).
• Follow User token pattern by tracking TTLs and expiring tokens.
• Require the engine configuration administrator to use a credential capable of managing organization settings.

Mid-level design

Based on current documentation, it seems reasonable to assume the following pattern:

• Add a new parameter to the Create/Update Role endpoint, agent_pool_id, which will be mutually exclusive with the existing organization, user_id and team_id parameters.
  • Optionally, add parameter description to Generate Credential endpoint to allow for the description field to be passed through to the Agent Tokens API.
  • Optionally, add parameter description to Create/Update Role endpoint to allow for an administrator to set the description field of the token when a credential is generated, ideally implementing templating.
• Interact with the Agent Tokens API for TFC and TFE to manage the tokens.
• Use existing framework for all other aspects (same role management, similar lease management to user tokens, etc.)

Closing comments

Regarding the Agent Pool token description, it would certainly be less work to allow the caller to define the token description, and would allow for far more detail to be passed through to Terraform Cloud, as Vault can only get information about the caller identity, whereas the caller can provide any arbitrary information they want that relates to the token's use case. However, either implementation would be helpful, and neither implementation can also be considered an MVP implementation of this feature request, as the description is not required. If no description parameter is exposed to the user, it would probably be helpful to have Vault provide a standardized description, but as Vault is a security-first platform, it may also be an anti-pattern to provide a description that could hint at the implementation pattern in use in the environment. This will be up to developer discretion.