Approle authentication

Hi All

I want to tie an application with app role authentication. I have both vault and application sitting on same machine. Do I need to unseal the vault after restart using master token if the application has to use only app role authentication?

Thanks
Guru

Sure. In the sealed state only vault status and vault operator unseal is possible to do. Everything in Vault is encrypted und you’ll have to login to get things done.

From the docs:

When a Vault server is started, it starts in a sealed state. In this state, Vault is configured to know where and how to access the physical storage, but doesn’t know how to decrypt any of it.
Unsealing is the process of constructing the master key necessary to read the decryption key to decrypt the data, allowing access to the Vault.
Prior to unsealing, almost no operations are possible with Vault. For example authentication, managing the mount tables, etc. are all not possible. The only possible operations are to unseal the Vault and check the status of the unseal.

(https://www.vaultproject.io/docs/concepts/seal/)

Thanks. Considering the application owner has administrator access on the machine. Does this mean the vault service should ideally run on a different machine as the token has to be secured? Is there any other way I can integrate with the application. The application runs without any human intervention.

There is a production hardening guide for such questions: https://learn.hashicorp.com/vault/operations/production-hardening

In my opinion - and I think it is mentioned in the guide, too - a vault server/ cluster should only do the things it’s meant to do: secrets management. Keep the application separated.
If you want no user intervention for vault too - in case of restarts, etc. - you could use an auto-unseal solution: https://learn.hashicorp.com/vault/operations/ops-autounseal-aws-kms and the following guides. :wink: