Static Kubernetes ServiceAccount tokens are a long-standing security risk.
This post walks through authenticating workloads to HashiCorp Vault using JWT/OIDC, exchanging pod identity for short-lived, least-privilege Vault tokens via a Kubernetes-aware STS—without relying on static credentials.
#Kubernetes #HashiCorpVault #OIDC #WorkloadIdentity #ZeroTrust
https://www.tremolo.io/post/short-lived-tokens-with-vault-without-the-static-serviceaccount
Y'all ever get that feeling that surely you can't be the first one that actually tries to use a software feature as documented, but how could anyone ever have used it considering that it's fundamentally broken? And there are zero bug reports about your issue?!
This is me right now with #Nomad #WorkloadIdentity w/ #Consul. Clearly I'm doing something terribly wrong, because for me the bit that's supposed to keep the Consul token valid and renewed is doing a whole lot of renewing of the JWT token, but not any of the renewing the Consul side access token it gives you. Even worse than that, every JWT renew causes a change_mode trigger, i.e. a task restart, because it's changed! Yeah sure, you fiddled with the JWT yes, but the Consul token is still super valid? So what was there to re-render?
And yeah, the latest Nomad version makes the use of these mandatory. The feature was first published late 2023 but I've been putting it off, because very complex. Going on day 16 now of trying to get ready for the upgrade. :blobcatnotlikethisgoogly:
まともなTerraform環境構築に向けたあれこれ:バックエンドGCS、Workload Identity直接アクセス、tfactionによるCI/CD
https://qiita.com/SoySoySoyB/items/bb3abcf596111ded326b?utm_campaign=popular_items&utm_medium=feed&utm_source=popular_items
well that was fun. got #tornjak integrated with #keycloak successfully. Want to try it out for yourself? Theres a great blog to walk you through the process #spiffe #WorkloadIdentity https://medium.com/universal-workload-identity/guide-to-integrating-tornjak-with-keycloak-for-access-control-to-spire-40a3d5ee5f5a
