New feature: Hashicorp Vault plugin

The HashiCorp's Vault is a unified storage system for sensitive data such as tokens, passwords, and encryption keys. Aimed at companies that prefer to keep their secrets in a tightly controlled environment, our new plugin allows project managers to create short-lived API tokens for Buddy with customizable scopes of access.

How it works

The system uses Personal Access Tokens (also known as root tokens) to authorize token creation in the Vault. The root token must have the rights to create and manage tokens, and can be fortified by restricting it to the selected IPs or workspace domains (in this case, the restrictions are automatically inherited by the child tokens).

For time-limited root tokens, you can enable auto-rotation that will automatically delete the old token and create a new one 1 day before the expiration date.

In the vault, you can create a role for the token with selected scopes and then bake it into credentials. For example, if you want to let your developers run pipelines (but not modify it), the role is configured like this:

vault write buddy/roles/run_pipeline ttl=30 scopes=WORKSPACE,EXECUTION_RUN
$

All generated tokens have an extendable (unless restricted) lease time after which they expire. They can also be restricted to particular IPs or workspace domains.