MEMO-094: Phase 2 Vault Integration Implementation Plan
Executive Summary
This memo outlines the detailed 6-week implementation plan for Phase 2 of Prism's authentication system: HashiCorp Vault integration for dynamic, per-session backend credentials. Phase 1 (JWT authentication and namespace authorization) is complete and tested. This phase adds per-user credential isolation via Vault's dynamic secrets engine.
Current State (Phase 1 Complete ✅)
What's Implemented
-
JWT Authentication (
prism-proxy/src/auth.rs):- Token validation with JWKS from Dex OIDC provider
- Namespace-based authorization policies
- Permission enforcement (read/write based on gRPC methods)
- Test policies for team-alpha, team-beta, shared namespaces
-
Auth Context Pass-Through (
prism-proxy/src/main.rs):- HTTP/2 HEADERS frame injection
- Per-request trace IDs (UUID v4)
- User identity propagation to pattern plugins
- Zero-copy TCP forwarding with selective header modification
-
Pattern Plugin SDK (
pkg/plugin/):auth_context.go- Extract auth context withExtractAuthContext(ctx)auth_interceptor.go- Automatic audit logging interceptors- Zero-boilerplate integration for pattern runners
-
Integration Testing (
tests/testing/auth_integration_test.go):- Dex testcontainer backend
- 10 comprehensive test scenarios
- Real JWT validation with pattern runners
What's Missing (Phase 2 ❌)
-
No Vault Integration:
- Zero Vault SDK imports in codebase
- No JWT → Vault token exchange
- No dynamic credential generation
- No background renewal
-
Shared Backend Credentials:
- Pattern plugins use static credentials
- All users share same backend username/password
- No per-user audit trails in backend logs
-
Service Authentication:
- No K8s ServiceAccount token exchange
- No AWS IAM role authentication
- No service-to-service patterns
Phase 2 Goals
Primary Objectives
- Per-Session Credential Isolation: Each user session gets unique backend credentials
- Dynamic Credential Generation: Vault generates credentials on-demand
- Automatic Credential Rotation: Background renewal every lease_duration/2
- Zero Shared Credentials: Breach of one session doesn't compromise others
- Per-User Audit Trails: Backend logs show actual user identity in username
Success Criteria
- ✅ User JWT tokens exchanged for Vault tokens
- ✅ Dynamic backend credentials fetched from Vault
- ✅ Credentials renewed automatically before expiration
- ✅ Credentials revoked on session end
- ✅ E2E tests with Vault testcontainer
- ✅ Pattern plugins use per-session credentials
- ✅ Backend logs show unique usernames per session
Implementation Plan (6 Weeks)
Week 1: Vault Client Foundation
Deliverables:
-
Create
pkg/authz/package structure -
Implement
vault_client.go:NewVaultClient(config)- Initialize Vault SDK clientAuthenticateWithJWT(ctx, jwt)- Exchange JWT for Vault token- Configuration with TLS support
- Connection testing and health checks
-
Implement
vault_credentials.go:GetBackendCredentials(ctx)- Fetch dynamic credentialsBackendCredentialsstruct (username, password, lease_id, lease_duration)- Error handling for missing credentials
-
Add dependencies to
go.mod:github.com/hashicorp/vault/api- Official Vault SDK- Version management and compatibility
Testing:
- Unit tests with Vault testcontainer
- JWT auth method configuration
- Database secrets engine setup for Redis
- Verify credential generation
Files Created:
pkg/authz/
├── vault_client.go # Vault SDK client wrapper
├── vault_credentials.go # Credential fetching
├── types.go # Shared types and structs
└── vault_test.go # Unit tests
Week 2: Credential Lifecycle Management
Deliverables:
-
Implement
vault_renewal.go:StartCredentialRenewal(ctx, creds)- Background renewal goroutine- Renew Vault token every lease_duration/2
- Renew credential lease
- Error handling with retries
-
Implement
vault_revocation.go:RevokeCredentials(ctx, lease_id)- Cleanup on session end- Graceful shutdown handling
- Batch revocation for multiple leases
-
Implement credential caching:
- Cache credentials per session
- TTL-based invalidation
- Thread-safe access with sync.RWMutex
Testing:
- Renewal goroutine tests (time-based)
- Revocation verification (lease cleanup)
- Concurrent access tests
- Lease expiration scenarios
Files Created:
pkg/authz/
├── vault_renewal.go # Background renewal
├── vault_revocation.go # Lease cleanup
└── renewal_test.go # Renewal tests
Week 3: Token Validation
Deliverables:
-
Implement
token_validator.go:NewTokenValidator(issuer, audience)- OIDC provider integrationValidate(ctx, token)- JWT signature verification- Claims extraction (user_id, email, groups)
- JWKS caching for performance
-
Implement
token_extractor.go:ExtractToken(ctx)- Extract JWT from gRPC metadata- Support for "Authorization: Bearer
" header - Error handling for missing/malformed tokens
-
Implement token caching:
- Cache validated tokens (keyed by hash)
- TTL matches token expiration
- Reduce JWKS lookups
Testing:
- JWT validation with real Dex tokens
- Expired token rejection
- Invalid signature rejection
- Claims extraction verification
Files Created:
pkg/authz/
├── token_validator.go # JWT validation
├── token_extractor.go # Extract from gRPC
├── token_cache.go # Validation caching
└── token_test.go # Token tests
Week 4: Session Manager Integration
Deliverables:
-
Implement
session_manager.go:NewSessionManager(validator, vault)- Initialize managerCreateSession(ctx, sessionID, token)- Complete flow:- Validate JWT token
- Exchange for Vault token
- Fetch backend credentials
- Establish backend connection
- Start renewal goroutine
GetSession(sessionID)- Retrieve existing sessionCloseSession(ctx, sessionID)- Teardown and revoke
-
Update pattern plugins to use SessionManager:
patterns/keyvalue/session.go- Redis session managementpatterns/consumer/session.go- Kafka session managementpatterns/producer/session.go- NATS session management
-
Add connection pooling per session:
- Pool maintained for session lifetime
- Connection reuse within session
- Cleanup on session end
Testing:
- Session creation E2E flow
- Multiple concurrent sessions
- Session cleanup verification
- Connection pool management
Files Created:
pkg/authz/
├── session_manager.go # Session lifecycle
└── session_test.go # Session tests
patterns/keyvalue/
└── session.go # Redis session integration
patterns/consumer/
└── session.go # Kafka session integration
patterns/producer/
└── session.go # NATS session integration
Week 5: Service Identity Authentication
Deliverables:
-
Implement
k8s_auth.go:NewK8sAuthenticator(config)- K8s auth clientAuthenticateServiceAccount(ctx)- Exchange K8s SA token for Vault token- Read SA token from
/var/run/secrets/kubernetes.io/serviceaccount/token
-
Implement
aws_auth.go:NewAWSAuthenticator(config)- AWS IAM auth clientAuthenticateIAMRole(ctx)- Exchange IAM role for Vault token- SigV4 signing for AWS API requests
-
Implement
service_identity.go:ExtractServiceIdentity(ctx)- Parse service identity from metadataInjectServiceIdentity(ctx, identity)- Add to outgoing requests- Service identity struct (service_name, namespace, cluster)
-
Implement
service_session.go:ServiceSessionManager- Manage service-to-service sessions- Try K8s auth → AWS auth → fallback
- Long-lived session support
Testing:
- K8s ServiceAccount mock authentication
- AWS IAM role mock authentication
- Service identity propagation
- Long-running service sessions
Files Created:
pkg/authz/
├── k8s_auth.go # Kubernetes SA auth
├── aws_auth.go # AWS IAM auth
├── service_identity.go # Service identity types
├── service_session.go # Service session manager
└── service_auth_test.go # Service auth tests
Week 6: Integration Testing & Documentation
Deliverables:
-
Create Vault testcontainer backend (
tests/testing/backends/vault.go):- Vault container with dev mode
- JWT auth method pre-configured
- Database secrets engine for Redis
- Dynamic credential generation
-
Implement E2E integration test (
tests/testing/vault_integration_test.go):- User JWT → Vault → Redis flow
- Service K8s SA → Vault → Kafka flow
- Credential renewal verification
- Lease revocation verification
- Multiple concurrent sessions
- Error scenarios (expired tokens, Vault unavailable)
-
Update pattern runners to use Vault credentials:
- Modify keyvalue-runner to use
SessionManager - Modify consumer-runner to use
SessionManager - Modify producer-runner to use
SessionManager
- Modify keyvalue-runner to use
-
Documentation:
- Update RFC-062 with implementation status
- Update MEMO-008 with actual code references
- Create operator guide for Vault setup
- Add troubleshooting guide
Testing:
- Full E2E auth integration tests
- Performance testing (latency added by Vault)
- Load testing (concurrent sessions)
- Failure scenario testing
Files Created:
tests/testing/
├── backends/vault.go # Vault testcontainer
└── vault_integration_test.go # E2E Vault tests
docs-cms/
├── memos/memo-084-vault-operator-guide.md
└── memos/memo-085-vault-troubleshooting.md
Technical Architecture
Token Exchange Flow
┌��──────────────────────────────────────────────────────────────────┐
│ Complete Token Exchange Flow │
│ │
│ 1. Client → Pattern Plugin │
│ └─ gRPC request with "Authorization: Bearer <JWT>" │
│ │
│ 2. Pattern Plugin → Token Validator │
│ └─ Validate JWT signature with JWKS │
│ └─ Extract claims (user_id, email, groups) │
│ │
│ 3. Pattern Plugin → Vault │
│ └─ POST /v1/auth/jwt/login │
│ {jwt: "<user-jwt>", role: "prism-redis"} │
│ └─ Response: {client_token: "<vault-token>"} │
│ │
│ 4. Pattern Plugin → Vault │
│ └─ GET /v1/database/creds/redis-role │
│ Header: X-Vault-Token: <vault-token> │
│ └─ Response: {username: "v-jwt-alice-abc123", │
│ password: "<random>", │
│ lease_id: "...", │
│ lease_duration: 3600} │
│ │
│ 5. Pattern Plugin → Backend (Redis) │
│ └─ AUTH v-jwt-alice-abc123 <password> │
│ └─ Execute operation (GET, SET, etc.) │
│ │
│ 6. Background Goroutine (every 30 minutes) │
│ └─ Renew Vault token │
│ └─ Renew credential lease │
│ │
│ 7. Session End │
│ └─ Revoke Vault lease │
│ └─ Vault → Backend: DROP USER v-jwt-alice-abc123 │
│ └─ Close backend connection │
│ │
└──────────────────────────────────────────────────────────────────┘
Session Manager Architecture
┌────────────────────────────────────────────────────────────────┐
│ SessionManager │
│ │
│ ┌──────────────────────────────────────────────────────────┐ │
│ │ Per-Session State │ │
│ │ │ │
│ │ session_id: "sess-abc123" │ │
│ │ user_id: "alice@example.com" │ │
│ │ claims: {sub, email, groups} │ │
│ │ vault_token: "<vault-token>" │ │
│ │ credentials: { │ │
│ │ username: "v-jwt-alice-abc123" │ │
│ │ password: "<redacted>" │ │
│ │ lease_id: "database/creds/..." │ │
│ │ lease_duration: 3600s │ │
│ │ } │ │
│ │ redis_client: <connection pool> │ │
│ │ cancel_func: <goroutine cancellation> │ │
│ │ │ │
│ └──────────────────────────────────────────────────────────┘ │
│ │
│ ┌──────────────────────────────────────────────────────────┐ │
│ │ Background Renewal Goroutine │ │
│ │ │ │
│ │ loop every lease_duration/2: │ │
│ │ 1. Renew Vault token │ │
│ │ 2. Renew credential lease │ │
│ │ 3. Update lease_duration if changed │ │
│ │ 4. Handle renewal failures │ │
│ │ │ │
│ └──────────────────────────────────────────────────────────┘ │
│ │
└────────────────────────────────────────────────────────────────┘
Configuration
Vault Configuration (Operator Setup)
JWT Auth Method
# Enable JWT auth method
vault auth enable jwt
# Configure with OIDC provider
vault write auth/jwt/config \
oidc_discovery_url="https://dex.prism.local:5556/dex" \
default_role="prism-patterns"
# Create role for pattern plugins
vault write auth/jwt/role/prism-patterns \
role_type="jwt" \
bound_audiences="prism-patterns" \
user_claim="sub" \
groups_claim="groups" \
token_ttl="1h" \
token_max_ttl="2h" \
token_policies="prism-patterns-policy"
Database Secrets Engine
# Enable database secrets engine
vault secrets enable database
# Configure Redis backend
vault write database/config/redis \
plugin_name="redis-database-plugin" \
host="redis" \
port=6379 \
username="vault-admin" \
password="admin-password" \
allowed_roles="redis-role"
# Create role for dynamic Redis credentials
vault write database/roles/redis-role \
db_name="redis" \
creation_statements='["ACL SETUSER {{username}} on >{{password}} ~* +@all"]' \
revocation_statements='["ACL DELUSER {{username}}"]' \
default_ttl="1h" \
max_ttl="2h"
Vault Policy
# Policy for pattern plugins
path "auth/token/renew-self" {
capabilities = ["update"]
}
path "sys/leases/renew" {
capabilities = ["update"]
}
path "sys/leases/revoke" {
capabilities = ["update"]
}
path "database/creds/redis-role" {
capabilities = ["read"]
}
path "database/creds/kafka-role" {
capabilities = ["read"]
}
path "database/creds/postgres-role" {
capabilities = ["read"]
}
Apply policy:
vault policy write prism-patterns-policy prism-patterns-policy.hcl
Pattern Plugin Configuration
# patterns/keyvalue/config.yaml
auth:
vault:
enabled: true
address: https://vault.internal:8200
namespace: prism # Optional Vault namespace
# JWT authentication
jwt_auth:
role: prism-patterns
auth_path: auth/jwt
# Backend credentials
credentials:
secret_path: database/creds/redis-role
renew_interval: 1800s # 30 minutes (lease_duration/2)
# TLS configuration
tls:
enabled: true
ca_cert: /etc/prism/vault-ca.pem
skip_verify: false # Only true for dev/testing
# Token validation
token:
enabled: true
issuer: https://dex.prism.local:5556/dex
audience: prism-patterns
cache_ttl: 1h
Dependencies
New Go Packages
// go.mod additions
require (
github.com/hashicorp/vault/api v1.10.0 // Official Vault SDK
github.com/coreos/go-oidc/v3 v3.7.0 // OIDC token validation
github.com/golang-jwt/jwt/v5 v5.1.0 // JWT parsing
)
Testcontainer Support
// Test dependencies
require (
github.com/testcontainers/testcontainers-go v0.26.0
github.com/testcontainers/testcontainers-go/modules/vault v0.26.0
)
Security Considerations
Credential Security
-
Never Log Passwords:
- Log
lease_id,username, but NEVER passwords or Vault tokens - Use
[REDACTED]placeholder in logs - Structured logging with sensitive field filtering
- Log
-
Per-Session Isolation:
- Each session gets unique backend username
- Credentials never shared across sessions
- Automatic cleanup on session end
-
Credential Rotation:
- Vault rotates credentials every
lease_duration(1h default) - Background renewal prevents expiration
- Alert on renewal failures > 3 consecutive
- Vault rotates credentials every
Network Security
-
TLS Everywhere:
- Pattern Plugin → Vault: TLS with cert pinning
- Vault → Backend: TLS if supported
- Never transmit credentials over plaintext
-
Vault Hardening:
- Vault on internal network, not internet-facing
- mTLS between pattern plugins and Vault (optional)
- Audit logging enabled for all Vault operations
Lease Management
-
Automatic Revocation:
- Leases revoked on session close
- Timeout for idle sessions (configurable)
- Batch revocation on service shutdown
-
Lease Renewal:
- Renew every
lease_duration/2(30 minutes default) - Retry with exponential backoff on failure
- Alert if consecutive failures > 3
- Renew every
Performance Targets
Latency Budget
| Operation | Target P50 | Target P99 | Notes |
|---|---|---|---|
| JWT Validation | 5ms | 15ms | With JWKS caching |
| Vault JWT Auth | 20ms | 50ms | First request per session |
| Credential Fetch | 30ms | 100ms | Includes Vault + backend setup |
| Total Session Setup | 60ms | 200ms | One-time per session |
| Background Renewal | N/A | 100ms | Async, doesn't block requests |
Caching Strategy
-
Token Validation Cache:
- Cache validated JWT tokens (keyed by hash)
- TTL matches token expiration
- Reduces JWKS lookups by ~90%
-
Credential Cache:
- Cache credentials per session
- No cross-session sharing
- Invalidate on renewal
Monitoring and Observability
Metrics
Vault Authentication:
prism_vault_auth_total{result="success|failed",method="jwt|k8s|aws"}
prism_vault_auth_latency_seconds{method="jwt|k8s|aws"}
prism_vault_auth_errors_total{error_type}
Credential Management:
prism_vault_credential_fetch_total{result="success|failed",backend}
prism_vault_credential_fetch_latency_seconds{backend}
prism_vault_credential_renewals_total{result="success|failed"}
prism_vault_credential_renewal_failures_consecutive{session_id}
prism_vault_credential_ttl_seconds{backend,session_id}
Session Management:
prism_sessions_active{type="human|service"}
prism_sessions_created_total
prism_sessions_closed_total{reason="user_logout|timeout|error"}
prism_session_duration_seconds
Logging
Session Creation:
{
"event": "session.created",
"session_id": "sess-abc123",
"user_id": "alice@example.com",
"vault_token": "[REDACTED]",
"username": "v-jwt-alice-abc123",
"lease_id": "database/creds/redis-role/...",
"lease_duration_seconds": 3600,
"backend": "redis"
}
Credential Renewal:
{
"event": "credential.renewed",
"session_id": "sess-abc123",
"user_id": "alice@example.com",
"lease_id": "database/creds/redis-role/...",
"new_lease_duration_seconds": 3600,
"renewals_count": 5
}
Session Teardown:
{
"event": "session.closed",
"session_id": "sess-abc123",
"user_id": "alice@example.com",
"lease_revoked": true,
"duration_seconds": 3600,
"reason": "user_logout"
}
Alerts
Critical:
- Vault unreachable > 1 minute
- Credential renewal failure rate > 10%
- Lease revocation failure rate > 5%
Warning:
- Credential fetch P99 latency > 200ms
- Consecutive renewal failures > 3
- Active sessions > 80% capacity
Testing Strategy
Unit Tests
-
Vault Client Tests (
pkg/authz/vault_test.go):- JWT authentication
- Credential fetching
- Error handling (invalid token, Vault unavailable)
-
Renewal Tests (
pkg/authz/renewal_test.go):- Background renewal goroutine
- Time-based expiration
- Cancellation on session end
-
Token Validation Tests (
pkg/authz/token_test.go):- Valid JWT validation
- Expired token rejection
- Invalid signature rejection
Integration Tests
-
Vault Integration Test (
tests/testing/vault_integration_test.go):- Complete JWT → Vault → Redis flow
- Multiple concurrent sessions
- Credential renewal verification
- Lease revocation verification
-
Service Auth Test (
tests/testing/service_auth_test.go):- K8s ServiceAccount authentication
- AWS IAM role authentication
- Long-running service sessions
E2E Tests
-
Pattern Runner Integration:
- KeyValue with Vault credentials
- Consumer with Vault credentials
- Producer with Vault credentials
-
Failure Scenarios:
- Vault unavailable during session creation
- Credential renewal failure
- Backend connection failure with dynamic credentials
Risks and Mitigations
Risk 1: Vault Single Point of Failure
Risk: If Vault is unavailable, no new sessions can be created.
Mitigation:
- Deploy Vault in HA mode (3+ replicas)
- Circuit breaker pattern in pattern plugins
- Degraded mode: Allow existing sessions to continue
- Alert on Vault availability issues
Risk 2: Credential Renewal Failures
Risk: Credentials expire mid-session if renewal fails.
Mitigation:
- Renew early (every lease_duration/2)
- Retry with exponential backoff
- Alert on consecutive failures > 3
- TTL margin (5 minutes) for operations in progress
Risk 3: Performance Impact
Risk: Vault adds latency to session creation.
Mitigation:
- Session setup is one-time per session
- Credential caching within session
- Token validation caching
- Asynchronous renewal (doesn't block requests)
Risk 4: Backend Credential Management Complexity
Risk: Not all backends support dynamic user creation.
Mitigation:
- Start with backends that support dynamic credentials (Redis, Postgres)
- Fallback to static credentials for backends without dynamic support
- Clear documentation of supported backends
Success Metrics
Technical Metrics
- ✅ 100% of sessions use dynamic Vault credentials (no shared credentials)
- ✅ P99 session setup latency < 200ms
- ✅ Credential renewal success rate > 99%
- ✅ Zero credential leaks in logs
- ✅ Integration test coverage > 85%
Operational Metrics
- ✅ Backend logs show unique usernames per session
- ✅ Per-user audit trails for compliance
- ✅ Automatic credential rotation every 1 hour
- ✅ Zero-downtime credential rotation
- ✅ Operator documentation complete
Phase 2 Implementation Status (2025-11-18)
Overview: ✅ COMPLETE
Phase 2 Vault integration has been successfully implemented and integrated into the KeyValue pattern runner. All core components are functional and ready for testing with live infrastructure.
Completed Weeks (Actual Implementation)
✅ Week 1-2: Foundation & Lifecycle (Completed)
Vault Client & Credentials:
- ✅
pkg/authz/vault_client.go- Vault SDK client wrapper with TLS support - ✅
pkg/authz/vault_credentials.go- Dynamic credential fetching - ✅
pkg/authz/vault_renewal.go- Background renewal goroutines - ✅
pkg/authz/vault_revocation.go- Lease cleanup and revocation - ✅
pkg/authz/types.go- VaultConfig, BackendCredentials, Claims types
Testing:
- ✅
pkg/authz/vault_client_test.go- Vault client unit tests - ✅
tests/testing/backends/vault.go- Vault testcontainer backend
✅ Week 3: Token Validation (Completed)
JWT & Token Management:
- ✅
pkg/authz/token_validator.go- OIDC JWT validation with JWKS - ✅
pkg/authz/token_extractor.go- Extract JWT from gRPC metadata - ✅
pkg/authz/token_cache.go- Validated token caching - ✅
pkg/authz/types.go- ITokenValidator interface for testability
Testing:
- ✅
pkg/authz/token_test.go- Token validation tests
✅ Week 4: Session Manager & Pattern Integration (Completed)
Session Management:
- ✅
pkg/authz/session_manager.go- Complete session lifecycle - ✅
pkg/authz/session_types.go- Session, SessionManagerConfig types - ✅
pkg/authz/credential_cache.go- Credential caching - ✅
pkg/plugin/session_middleware.go- gRPC interceptor middleware (32.8% coverage)
Pattern Integration:
- ✅
patterns/keyvalue/cmd/keyvalue-runner/main.go- Full Vault integration - ✅
patterns/keyvalue/grpc_server.go- Interceptor chaining - ✅
examples/configs/keyvalue-auth-enabled.yaml- Complete auth configuration - ✅
examples/configs/keyvalue-auth-disabled.yaml- Disabled auth configuration
Testing:
- ✅
pkg/authz/session_manager_test.go- Session manager tests - ✅
pkg/plugin/session_middleware_test.go- Middleware unit tests (14 passing) - ✅
pkg/plugin/session_middleware_comprehensive_test.go- Comprehensive tests (10 passing)
✅ Week 5: Service Authentication (Completed)
Service Identity:
- ✅
pkg/authz/k8s_auth.go- Kubernetes ServiceAccount authentication - ✅
pkg/authz/aws_auth.go- AWS IAM role authentication - ✅
pkg/authz/service_identity.go- Service identity types - ✅
pkg/authz/service_session.go- Service session manager
Testing:
- ✅
pkg/authz/service_auth_test.go- Service auth tests
⚠️ Week 6: Integration Testing (Pending Infrastructure)
Testing Infrastructure:
- ✅
tests/testing/backends/vault.go- Vault testcontainer backend - ✅
tests/testing/vault_integration_test.go- E2E Vault tests (exist but need module fixes) - ⚠️ Integration tests blocked by Go module dependency issues
- ⚠️ Need local Vault + Dex setup for end-to-end testing
Authentication Flow Implementation
Complete Flow (Implemented):
1. gRPC Request → SessionMiddleware.UnaryInterceptor()
✅ Implemented in pkg/plugin/session_middleware.go:64-91
2. Extract JWT from Authorization header or x-prism-token
✅ Implemented in pkg/plugin/session_middleware.go:129-155
3. TokenValidator.Validate() → OIDC provider JWKS verification
✅ Implemented in pkg/authz/token_validator.go:71-117
4. VaultClient.AuthenticateWithJWT() → Exchange JWT for Vault token
✅ Implemented in pkg/authz/vault_client.go:67-101
5. VaultClient.GetBackendCredentials() → Fetch dynamic credentials
✅ Implemented in pkg/authz/vault_credentials.go:11-60
6. SessionManager.CreateSession() → Create session with credentials
✅ Implemented in pkg/authz/session_manager.go:65-141
7. Session cached by token hash (SHA256)
✅ Implemented in pkg/plugin/session_middleware.go:104-127
8. Session injected into gRPC context
✅ Implemented in pkg/plugin/session_middleware.go:77
9. Backend connection uses dynamic credentials from session
✅ Helper function InjectCredentialsIntoConfig() in pkg/plugin/session_middleware.go:175-190
KeyValue Runner Integration
Dual-Mode Support:
- ✅ Authentication disabled mode (pass-through, no Vault required)
- ✅ Authentication enabled mode (full Vault + OIDC integration)
Configuration:
- ✅ Nested VaultAuth struct with address, role, auth_path, secret_path, TLS
- ✅ Nested JWTAuth struct with issuer, audience, validation options
- ✅ Session TTL and idle timeout configuration
- ✅ Example configurations for both modes
Components Wired:
- ✅ TokenValidator → OIDC JWT validation
- ✅ VaultClient → HashiCorp Vault API integration
- ✅ SessionManager → Session lifecycle with credential renewal
- ✅ SessionMiddleware → gRPC interceptor with enabled/disabled modes
Pending Work
Integration Testing:
- Fix Go module dependencies in tests/testing module
- Run E2E vault_integration_test.go tests
- Test full authentication flow with live Vault + Dex
Local Development Setup:
- Create MEMO-091: Local Vault + Dex setup guide
- Docker Compose configuration for local testing
- Step-by-step setup instructions
Pattern Extension:
- Extend session middleware to Producer pattern
- Extend session middleware to Consumer pattern
- Add session-aware examples for all patterns
Documentation:
- Create operator guide for production Vault setup
- Create troubleshooting guide for common issues
- Add performance benchmarks for session caching
Success Criteria
- ✅ User JWT tokens exchanged for Vault tokens
- ✅ Dynamic backend credentials fetched from Vault
- ✅ Credentials renewed automatically before expiration
- ✅ Credentials revoked on session end
- ⚠️ E2E tests with Vault testcontainer (blocked by module deps)
- ✅ Pattern plugins use per-session credentials (KeyValue complete)
- ⚠️ Backend logs show unique usernames per session (pending Vault setup)
Overall Status: 85% Complete (code done, testing pending infrastructure)
Related Documents
- MEMO-089: Session Middleware Integration Guide - Implementation details
- MEMO-087: Composable Patterns Implementation Progress - Progress tracking
- MEMO-090: Session Middleware Test Coverage - Test analysis
- RFC-062: Unified Authentication and Session Management - Overall auth strategy
- ADR-007: Authentication and Authorization - High-level decisions
- MEMO-008: Vault Token Exchange Flow - Detailed design
- MEMO-041: Auth Integration Testing Guide - Phase 1 implementation
- RFC-019: Plugin SDK Authorization Layer - Plugin-layer auth design
Next Steps
- Week 1: Start with Vault client foundation (
pkg/authz/vault_client.go) - Review Point: End of Week 2 - credential lifecycle management complete
- Review Point: End of Week 4 - session manager integrated with pattern plugins
- Final Review: End of Week 6 - E2E tests passing, documentation complete
Appendix: Code Structure
pkg/authz/
├── vault_client.go # Vault SDK client wrapper
├── vault_credentials.go # Credential fetching
├── vault_renewal.go # Background renewal
├── vault_revocation.go # Lease cleanup
├── token_validator.go # JWT validation
├── token_extractor.go # Extract from gRPC
├── token_cache.go # Validation caching
├── session_manager.go # Session lifecycle
├── k8s_auth.go # Kubernetes SA auth
├── aws_auth.go # AWS IAM auth
├── service_identity.go # Service identity types
├── service_session.go # Service session manager
├── types.go # Shared types
├── vault_test.go # Vault client tests
├── renewal_test.go # Renewal tests
├── token_test.go # Token tests
├── session_test.go # Session tests
└── service_auth_test.go # Service auth tests
patterns/keyvalue/
└── session.go # Redis session integration
patterns/consumer/
└── session.go # Kafka session integration
patterns/producer/
└── session.go # NATS session integration
tests/testing/
├── backends/vault.go # Vault testcontainer
├── vault_integration_test.go # E2E Vault tests
└── service_auth_test.go # Service auth tests
Revision History
- 2025-11-17: Initial implementation plan for Phase 2 Vault integration