Reputation: 4679
What are the main differences between Hashicorp-Vault AppRole Auth Method and Userpass Auth Method?
What are the main differences between Hashicorp-Vault AppRole Auth Method and Userpass Auth Method?
In the documentation I see that approle is intended to be used mostly by machines or apps and userpass is for users.
The obvious are a slightly different API and some different naming:
What are the other key differences in terms of security, performance etc.?
Upvotes: 2
Views: 2232
Answers (2)
Reputation: 749
Another main difference is the workflow, because of the target audience. Let me unapck this.
userpass is made for human users. approle is made for services/machines/scripts.
A main difference, caused by this difference of workflow, lies in how you rotate your secrets.
With userpass, each username has a single password. When you change that single password, it’s changed immediately and the previous one is revoked.
Approle works more like traditional API keys (or AWS access keys if you’re familiar with them, and why AWS let you have 2 different keys): for each role-id, you can create multiple secret-id. This becomes very useful when you need to distribute these secrets to multiple instances, and also to rotate them: the creation of a new secret-id and the revocation of the previous one are decoupled.
Another useful difference to remember is that, although both userpass and approle let you set num_uses or IP restrictions on the generated token, approle also lets you set validation constraints on the secret_id: the secret_id can be set to be only valid from specific IPs, only a specific number of times, or have a TTL (this TTL is on the secret-id, not on the token, which can have another TTL).
These secret-id restrictions give you more control on how you can secure your authentication data distribution (wrapping is indeed really nice, but these other settings give you a lot of options to make it work in your workflow, depending on the service you’re trying to secure).
Upvotes: 6
Reputation: 418
I think a main difference is the ability to use AppRole with secret_id unwrapping for secure introduction. This means that the final auth credentials will never be fully known by your application build and delivery pipeline(s), but the application itself.
Should also be noted that secret_id is dynamic, so each application instance using the same role_id will effectively use a different "password". The secret_id itself can also be limited in the number of times it can be used.
I suggest checking out https://learn.hashicorp.com/tutorials/vault/approle#response-wrap-the-secretid
Upvotes: 1
Related Questions
- Hashicorp Vault vs Azure Key Vault
- Hashicorp Vault AppRole: role-id and secret-id
- Authentication methods using the vault API package
- How to use Hashicorp Vault's AppRole in production?
- UserPass Authentication Vault
- How to use AppRole authentication for Vault using Spring Boot?
- Hashicorp-vault userpass authentication
- How do I set up username/password authentication with Hashicorp Vault
- Hashicorp Vault client best practise
- How does hashicorp Vault work for securing DB credentials?