The External Secrets Enterprise is product suite is a premium product.
It requires a specific subscription. Contact us for more information.
Securing Applications with Runtime-Bound Credentials
Dynamic credentials are a cornerstone of modern application security, providing temporary, on-demand access to resources. Instead of relying on long-lived static secrets, applications receive credentials that are:- Runtime-Bound: Generated specifically for a Pod instance when it starts.
- Disposable: Automatically revoked or expire when the Pod is deleted or their Time-To-Live (TTL) is reached.
- Least Privilege: Scoped with the minimum necessary permissions for the task at hand.
esi-cli
, ESI Federation, and Generators
– to deliver a seamless dynamic credentials experience.
Key ESE Components for Dynamic Credentials
- Pod Admission Webhook: Intercepts Pod creation/update events and automatically injects and configures an
esi-cli
init container based on Pod annotations. esi-cli
: Runs as an init container within your application Pod. It communicates with the ESI Federation server to fetch dynamic credentials from aGenerator
and injects them into the main application container (as environment variables or files).- ESI Federation: Enables
esi-cli
(as a client) to securely request secrets from a central Federation Server. This server can be the same ESE instance managing the Pod or a separate, dedicated ESE instance. Generators
: Custom Resources (CRs) deployed on the Federation Server. They define how to create dynamic secrets on-the-fly by interacting with backend systems like HashiCorp Vault, AWS IAM, GCP IAM, etc.
The Dynamic Credential Workflow
- Pod Creation: A Pod is defined with specific annotations instructing the ESE Pod Webhook to inject
esi-cli
and configure it for dynamic credential retrieval. - Webhook Injection: The Pod Webhook intercepts the Pod creation request. It injects an
esi-cli
init container and configures it using the provided annotations (federation server URL, target generator, injection method, etc.). esi-cli
Execution: Theesi-cli
init container starts before the main application container.- Federation Request:
esi-cli
authenticates to the ESI Federation Server (typically using the Pod’s Service Account token) and requests a secret from the specifiedGenerator
. - Generator Action: The
Generator
on the Federation Server interacts with its configured backend (e.g., Vault) to create a new, temporary credential. - Credential Delivery: The Federation Server returns the dynamic credential to
esi-cli
. - Secret Injection:
esi-cli
injects the received credential data into the application’s environment (e.g., as environment variables or files in a shared volume). - Application Start: The
esi-cli
init container completes, and the main application container starts with the dynamic credential readily available. - Credential Revocation: When the Pod is deleted, or the credential’s TTL expires, the
Generator
(or the backend system it manages) is responsible for revoking or ensuring the credential is no longer valid.
Example: Dynamic Vault Credentials for a Pod
Let’s illustrate with an example where a Pod needs temporary credentials from HashiCorp Vault. Prerequisites:- External Secrets Enterprise installed with Pod Webhook and Federation capabilities enabled.
- HashiCorp Vault configured with a secrets engine and role suitable for generating dynamic credentials.
- The ESE Federation Server must be configured to communicate with Vault (e.g., via a
SecretStore
pointing to Vault).
Generator
Create a Generator
Custom Resource on the ESE Federation Server. This example uses a hypothetical VaultDynamicSecretGenerator
that leverages an existing ESE SecretStore
(which points to Vault) to generate credentials.
Authorization
CR on the ESE Federation Server to allow the Service Account of your application Pod to use the vault-app-creds-generator
.
esi-cli
.
- The ESE webhook injects
esi-cli
. esi-cli
uses themy-application-sa
token to talk to the Federation Server.- It requests credentials from
vault-app-creds-generator
. - The generator contacts Vault, gets dynamic credentials (e.g., a temporary username and password).
esi-cli
setsDB_USER
andDB_PASS
environment variables formain-app-container
.- The application starts and uses these temporary credentials.
- When the Pod is deleted, Vault (if configured correctly for the role) revokes the lease for these credentials.
Benefits of ESE Dynamic Credentials
- Enhanced Security Posture: Drastically reduces the risk associated with compromised static credentials.
- Automated Lifecycle: Credential provisioning and injection are fully automated.
- Centralized Policy and Audit:
Generators
andAuthorizations
on the Federation Server provide central control and can be audited. - Seamless Integration: Works with existing Kubernetes RBAC and Service Accounts.
- Flexibility: Supports various backends through different
Generator
types and diverse injection methods (env vars, files).