Support for appRole based authentication for secretstores.hashicorp.vault

[neeta-rathi]

Describe the feature

We use AppRole based authentication to manage secrets within Vault. More info on AppRole can be found here.

DAPR's secretstores.hashicorp.vault Component uses Token based authentication. Here are the key/values on the Component that requires to provide the token

  - name: vaultTokenMountPath # Required if vaultToken not provided. Path to token file.
    value : "[path_to_file_containing_token]"
  - name: vaultToken # Required if vaultTokenMountPath not provided. Token value.
    value : "[path_to_file_containing_token]"

The apps don't have access to the token, however they are designed to access Vault with AppRole authentication. So the ask here is to support AppRole based authentication from DAPR's Component when spec.type=secretstores.hashicorp.vault

Release Note

RELEASE NOTE:

[yaron2]

@neeta-rathi there are several ways to provide an app (Dapr in this case) with the SecretID as mentioned in the link above.

One thing we can easily do is allow users to supply the SecretID to Dapr via the component secret ref, which means that on Kubernetes, there will be a k8s secret (in the example below, named secretID) that holds the SecretID value and provided to Dapr like this:

- name: secretID
    secretKeyRef:
      name: secretID
      key:  secretID

I'm interested to know based on your organizational policy if this would be considered secure enough, and if not, how do you plan on distributing the SecretID to apps?

[dapr-bot]

This issue has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in the next 7 days unless it is tagged (pinned, good first issue, help wanted or triaged/resolved) or other activity occurs. Thank you for your contributions.

[dapr-bot]

This issue has been automatically closed because it has not had activity in the last 37 days. If this issue is still valid, please ping a maintainer and ask them to label it as pinned, good first issue, help wanted or triaged/resolved. Thank you for your contributions.

[infine8]

I believe there should be two fields: roleId and secretId. Do you think is only secretId enough ? btw, when are you going to release this feature? i really need it. can you add this to prerelease ?

[deivanaiarunagiri]

Is there any update on the approle/secretid authentication with vault from dapr ?