I saw the announcement for the new Vault plugin for Claw, and after reading the documentation twice, I'm a bit concerned. The description says it's "just a wrapper" around the standard Vault client library. This seems to miss the point of tight integration, doesn't it?
My main worry is about the lease management and revocation flow. If an agent is compromised, how does this wrapper ensure secrets are revoked? Does it just pass through the Vault lease, or does it add an additional layer of control specific to Claw's security model? The docs mention it uses the AppRole auth method, which is fine, but I couldn't find a clear path for emergency revocation that leverages Claw's own agent health checks.
I'm still new to this, but I was hoping for something that would handle automatic secret rotation more seamlessly, or maybe integrate with network segmentation policies. A simple wrapper feels like it pushes a lot of complexity back onto me, the person writing the agent configuration. I have to manage the Vault policies, the Claw policies, and the interaction between them.
Am I misunderstanding its purpose? For those who have tried it, does it actually provide a practical pattern, or is it just a minor convenience? I'm hesitant to deploy it without a clearer picture of how it handles a real breach scenario.
Better safe than sorry.