We have a bunch of Windows server applications that currently handle secrets as follows; our apps are in C#.
- We store them in settings files in code
- We store them encrypted, using a certificate
- The servers have this certificate with the private key, so they can decrypt the secret
We’re looking at implementing Hashicorp Vault. It seems easy enough to simply replace the encrypt-store-decrypt with storing the secret in Vault in the KV engine, and just grabbing it in our apps - that takes that certificate out of the picture entirely. Since we’re on-prem, I’ll need to figure out our auth method.
We have different (combinations of) apps running on different machines, and it’s somewhat dynamic (not as much as an autoscaling scenario, but not permanent - so we can’t just assign servers to roles one time and depend on Kerberos auth).
I’m unsure how to make AppRole work in our scenario. We don’t have one of the example “trusted platforms” or “trusted entities” described in “Secure Introduction” - there’s no Nomad, Chef, Terraform, etc. We have Windows machines, in a domain.
Someone on Reddit suggested that this is a simple solution if our apps are all 1-to-1 with the Windows domain account they run under, because then we can just use kerb authentication. But that would mean that the agent on a given piece of metal needs to be able to auth per-process, not for the machine overall.
One other approach - we do have a homegrown orchestrator that could be queried to say “This machine name runs these apps”, so maybe there’s something that can be done there?
Am I in “write your own auth plugin” territory, to speak to our homegrown orchestrator?