[Feature Request] Automatic mapping from "kid to Transit Key"
Closed this issue · 4 comments
Automatic mapping from "kid to Vault Transit Key" according to some predefined scheme/rule.
Currently, the mapping is done statically in the backend section of the configuration file (config/config.json).
Can this mapping be written in Python code, so that we have the business logic (mapping rule), which Key from Vault is returned in response to a request with a specific kid (Key ID) in the code?
Strengths of this Feature/Idea:
- Less configuration effort (Operator only configures Vault keys and Distributey automatically fetches the correct key)
- Business logic over configuration logic
- It might be faster to add additional keys for a consumer/service (only changes in Vault required)
Weaknesses of this Feature/Idea:
- Less flexible. The Vault Key is implicitly defined through the
kidin the request. - Might require additional space in the cache to store a mapping (
kidto Vault Tenant Key) for repeated requests?
I thought this might be handy, this is why I implemented:
distributey/distributey/app.py
Line 321 in 9ac8565
If you have a look at this few lines of code, distributey tries to fetch a mapping between
jwe kid and vault key path from config.json. If that mapping does not exist, I simply assume that jwe kid equals to the vault key path.
Does that address your problem? You can try this by simply not configuring a vault key path:
distributey/config/config.json
Line 25 in f1d00a7
Ps. I also assume that key version is latest!
I realized that the current solution does autom. mapping jwe kid -> vault key path. However, it still requires configuration of a key consumer certificate per jwe kid. I changes this in PR #104. This PR allows creating one key consumer cert per tenant.
@in0rdr can you test the PR and confirm this addresses your needs?
This should address our needs, thank you.
Nice 👍 One feature down, one to go 🤘