Skip to content

[Improvement]: Remove read-back-from-vault dependency (AgentID + env-Thunder) #1326

Description

@yashed

Please select the area the issue is related to

Area/Agent Lifecycle (Agent create, configure, kinds, build, test, deploy, keys/tokens)

Please select the aspect the issue is related to

Aspect/Agent Configuration (Agent configuration, kinds, build options)

Suggested Improvement

Summary
GetCredentials, ClaimSecret (AgentID endpoints), and env-Thunder's system-client secret resolution all rely on reading a previously-stored secret's raw value back out of the key vault (GetSecretWithValue). This needs to go away.

Motivation
We're making the key vault backend pluggable so deployments can use cloud-managed key vaults instead of just OpenBao. Many cloud key vaults don't support (or restrict) reading a value back after it's stored and they're built around "reveal once at generation time," not "store now, fetch anytime." Anything relying on read-back today will break or behave inconsistently once a backend without that capability is plugged in.

Scope

  • AgentID: GetCredentials and ClaimSecret (agent_thunder_provisioning_service.go) : stop reading the stored value back via readCredential; capture and return the credential at generation time instead.
  • env-Thunder: env_resolver.go's system-client secret resolution and same fix, avoid the read-back for authenticating outbound calls.
  • Change the flow of AgentID creation for external agents

Related Issues

No response

Metadata

Metadata

Assignees

Labels

Area/Agent LifecycleAgent create, configure, kinds, build, test, deploy, keys/tokensAspect/Agent ConfigurationAgent configuration, kinds, build optionsType/ImprovementMarks enhancements or improvements to existing features

Type

Fields

No fields configured for Task.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions