Feature Request: Secrets Manager Integration for short-lived secrets

[FireDrunk]

What would you like Teleport to do?
Teleport could have either a Plugin (API) or builtin support to allow pushing short-lived secrets to external Secret Providers like Hashicorp Vault, AWS Secrets Manager, or Azure Keyvault.

What problem does this solve?
When using short-lived containers (like Kubernetes (Cron)Jobs) or CI jobs, authentication using Machine ID is a bit tricky.
When you have the automatic certificate generation / rollover embedded in Teleport itself it would free up a log of complex logic for CI jobs.

The way I would see this working, is using a dedicated Resource like a "SecretProvider".
This should describe which account would be used, and to which keyvault and secret key it would link. A TTL would describe the interval in which Teleport would generate an auth file and upload it to the linked secret provider.

CI Jobs (or other tasks), can just use credential from the keyvault. There could even be standard ServiceConnections in Azure containing the correct information to connect to Teleport.

If a workaround exists, please include it.
The current setup is based on Machine ID with long lived CI runners, that can generate credentials on the fly. One could build such a setup themselves with Machine ID, and use these machines to run the other CI jobs.

Another workound (which we currently use), is having custom Pipelines which contact Teleport to generate an auth file and manually insert it into an Azure Keyvault. This pipeline is quite complex and error-prone.

[flavono123]

another case to solve:

using a rotation feature of external secret provider with a static token of teleport(maybe not recommended, btw, but for convenience for integrating with the customer's rotation system)