[Advise Needed] Optimizing HashiCorp Vault Workflow: Validating Token Management and AppRole Usage

Hello everyone,

I am seeking feedback on my current HashiCorp Vault deployment strategy to ensure its correctness and security. Below is a detailed description of my setup and workflow:

Environment Setup:

  • ROLE_ID: role-id
  • DEFAULT_TOKEN: default-initial-token

Vault Policies:

  1. Default Token Policy:

    # Allow generating tokens
    path "auth/token/create" {
      capabilities = ["update"]
    }
    
    # Allow renewing tokens
    path "auth/token/renew" {
      capabilities = ["update"]
    }
    
    # Allow looking up the details of the caller's token
    path "auth/token/lookup-self" {
      capabilities = ["read"]
    }
    
    # Allow renewing the caller's token
    path "auth/token/renew-self" {
      capabilities = ["update"]
    }
    
    # Optionally, allow revoking the caller's token
    path "auth/token/revoke-self" {
      capabilities = ["update"]
    }
    
    # Allow lookup of other tokens
    path "auth/token/lookup" {
      capabilities = ["read"]
    }
    
  2. K/V Secret Policy:

    # Allow reading data from the "secret/data/demo" path
    path "secret/data/demo" {
      capabilities = ["read"]
    }
    
    # Allow reading the list of mounts in the Vault instance
    path "sys/mounts" {
      capabilities = ["read"]
    }
    

Workflow:

  1. Creating the Default Token:

    vault token create \
        -policy="{{VAULT_ACL_TOKEN_POLICY}}" \
        -metadata="user=developer" \
        -ttl="1h" \
        -renewable=true
    
  2. Renewing the Default Token:
    My application includes a scheduled task that periodically renews the default token:

    vault token renew -increment="1h"
    
  3. Generating Secret ID:
    To access K/V data, the application uses the default token to create a Secret ID:

    vault write auth/approle/role/{{VAULT_APP_ROLE}}/secret-id \
        -header="X-Vault-Token: {{DEFAULT_TOKEN}}" \
        metadata='{"tag":"development"}' \
        ttl=60 \
        num_uses=1
    
  4. Generating AppRole Token:
    The Secret ID is then used to obtain an AppRole token:

    vault write auth/approle/login \
        -header="X-Vault-Token: {{DEFAULT_TOKEN}}" \
        role_id="{{ROLE_ID}}" \
        secret_id="{{SECRET_ID}}"
    
  5. Accessing K/V Data:
    The AppRole token retrieves K/V data:

    vault kv get secret/demo
    
  6. Revoking AppRole Token:
    Post-data retrieval, the AppRole token is revoked.

Questions:

  • Is this workflow optimized for secure and efficient use of Vault?
  • Are there any best practices or improvements you would recommend?

Bump and await for reply.

I’m still waiting for a reply to my question.

The way to make AppRole secure is to have separate flows for RoleID generation and Secret ID delivery. I recommend you read:

As an example, we have Gitlab Pipelines to build VM and inject roleID’s. The pipeline uses Gitlab JWT as authentication to pull the proper roleID. A separate ansible pipeline deploys the software, which includes a wrapped SecretID. This also uses the Gitlab JWT, but is managed by a seperate group.

On application startup on the VM, both are now available, btu they have not been available to either team.