Reputation:
Hashicorp Vault client best practise
I have an application using Hashicorp Vault to store a username and password secret. The application is deployed to a cloud hosting platform and passed a token as an environment variable. On application start the secret is read from vault using the token and used to open a session to a remote service. The application and session to the remote service are long lived. If all goes well the application rarely restarts and therefore rarely reads from vault. When the application does restart the token will likely have expired resulting in failure.
Is there any best practice guidance for how clients should use vault? The token lifetime could be extended but the longer the lifetime the more compromised the security. The application could reestablish the session with the remote service every time it is needed but this would be inefficient. Is there another alternative I’m not considering? Any thoughts would be appreciated.
Upvotes: 0
Views: 2023
Answers (1)
Reputation: 1379
You should use App Roles instead of passing in a plain token. In this, you bake a role id into your app, and then deploy a secret id for that role in your environment variable.
Your app can then combine these to get a real token from Vault on startup, and periodically renew that token as it is running.
Upvotes: 6
Related Questions
- How to get HashiCorp Vault policy right?
- Authentication methods using the vault API package
- Securing a REST call to Vault Secrets management
- Hashicorp-vault userpass authentication
- Hashicorp Vault -- Create Auth Tokens Only, Don't read secrets
- How to use Hashicorp Vault like login to web site
- How do I set up username/password authentication with Hashicorp Vault
- How does hashicorp Vault work for securing DB credentials?
- HashiCorp Vault: Secret backends
- Using Hashicorp Vault for storage of client id and secret in OAuth2 Password Flow