Attestation and app-level authorization

Vault
1

Hello, we have an application that needs to fetch a client secret before it can communicate with a 3rd party integration. We’d like some form of app-level authorization rather than human-operator auth. Initially it looked like AppRole Auth Method would have been a good fit but, on reflection, it seems to be an admin API rather than an end-user API. The other issue was that it requires a client secret itself (a chicken and egg scenario). There is a way to turn off the requirement of the client secret but this essentially removes all security from the integration.

Is there a plugin or mechanisim that could allow app-level access and utilise an attestation service such as Apple Device Check, Google SafetyNet or Firebase App Check? If there isn’t one today, what would it take to create one in Vault? Such an app-level authorisation and attestation plugin would negate the need for an initial client secret and enable many applications to securely integrate with Vault. Happy to talk further about this use-case.

2

There is no thing as an “admin” API. Everything in Vault is user API. The only difference is the policy that is attached to your token.

Secret-Zero is what you’re describing and it’s a problem with any security/auth system. Where/How do you keep your secret zero? You can google that for many different thoughts and patterns.

Here are a couple:

Use whatever your deployment tool is to provide the initial token. Jenkins deploys the app, provides the initial token, which then the app uses to retrieve the app_id,secret_id to auth.

Use “vault token” to auth for you and keep your session alive. This requires a secure pod or a locked VM.

Plugin auth lists: Documentation | Vault by HashiCorp (2nd section on the left side). I don’t know Safetynet, but if it’s google cloud, the GCP secrets plugin should get you access to it. Check: Google Cloud - Secrets Engines | Vault by HashiCorp