Can the vault agent, running on Windows bare metal, authenticate different users/processes that are running on the same machine?

We have a bunch of Windows server applications that currently handle secrets as follows; our apps are in C#.

  • We store them in settings files in code
  • We store them encrypted, using a certificate
  • The servers have this certificate with the private key, so they can decrypt the secret

We’re looking at implementing Hashicorp Vault. It seems easy enough to simply replace the encrypt-store-decrypt with storing the secret in Vault in the KV engine, and just grabbing it in our apps - that takes that certificate out of the picture entirely. Since we’re on-prem, I’ll need to figure out our auth method.

We have different (combinations of) apps running on different machines, and it’s somewhat dynamic (not as much as an autoscaling scenario, but not permanent - so we can’t just assign servers to roles one time and depend on Kerberos auth).

I’m unsure how to make AppRole work in our scenario. We don’t have one of the example “trusted platforms” or “trusted entities” described in “Secure Introduction” - there’s no Nomad, Chef, Terraform, etc. We have Windows machines, in a domain.

Someone on Reddit suggested that this is a simple solution if our apps are all 1-to-1 with the Windows domain account they run under, because then we can just use kerb authentication. But that would mean that the agent on a given piece of metal needs to be able to auth per-process, not for the machine overall.

One other approach - we do have a homegrown orchestrator that could be queried to say “This machine name runs these apps”, so maybe there’s something that can be done there?

Am I in “write your own auth plugin” territory, to speak to our homegrown orchestrator?

Hi @mfinnigan ,

Yes, you would have to write your own auth plugin to interface to the orchestrator.

I don’t know much of anything about Kerberos or Windows, but - what about running multiple agent processes, each with their own listening address and kerberos auth config? One per client app, that is.

Multiple agent processes wouldn’t be great; if that were the option, we’d probably be more likely to just use VaultSharp or a similar library within our code.

Thanks for the confirmation about custom auth plugins if we decide to go down that route.