Please select the area the issue is related to
Area/Agent Lifecycle (Agent create, configure, kinds, build, test, deploy, keys/tokens)
Please select the aspect the issue is related to
Aspect/Agent Configuration (Agent configuration, kinds, build options)
Suggested Improvement
Summary
GetCredentials, ClaimSecret (AgentID endpoints), and env-Thunder's system-client secret resolution all rely on reading a previously-stored secret's raw value back out of the key vault (GetSecretWithValue). This needs to go away.
Motivation
We're making the key vault backend pluggable so deployments can use cloud-managed key vaults instead of just OpenBao. Many cloud key vaults don't support (or restrict) reading a value back after it's stored and they're built around "reveal once at generation time," not "store now, fetch anytime." Anything relying on read-back today will break or behave inconsistently once a backend without that capability is plugged in.
Scope
- AgentID:
GetCredentials and ClaimSecret (agent_thunder_provisioning_service.go) : stop reading the stored value back via readCredential; capture and return the credential at generation time instead.
- env-Thunder:
env_resolver.go's system-client secret resolution and same fix, avoid the read-back for authenticating outbound calls.
- Change the flow of AgentID creation for external agents
Related Issues
No response
Please select the area the issue is related to
Area/Agent Lifecycle (Agent create, configure, kinds, build, test, deploy, keys/tokens)
Please select the aspect the issue is related to
Aspect/Agent Configuration (Agent configuration, kinds, build options)
Suggested Improvement
Summary
GetCredentials,ClaimSecret(AgentID endpoints), and env-Thunder's system-client secret resolution all rely on reading a previously-stored secret's raw value back out of the key vault (GetSecretWithValue). This needs to go away.Motivation
We're making the key vault backend pluggable so deployments can use cloud-managed key vaults instead of just OpenBao. Many cloud key vaults don't support (or restrict) reading a value back after it's stored and they're built around "reveal once at generation time," not "store now, fetch anytime." Anything relying on read-back today will break or behave inconsistently once a backend without that capability is plugged in.
Scope
GetCredentialsandClaimSecret(agent_thunder_provisioning_service.go) : stop reading the stored value back viareadCredential; capture and return the credential at generation time instead.env_resolver.go's system-client secret resolution and same fix, avoid the read-back for authenticating outbound calls.Related Issues
No response