We are doing a POC on using HashiCorp Vault to store the secrets.
As a part of the POC, we have an ETL application that runs on-prem and tries to Fetch the
secrets from Vault.
Following is the process we are looking into.
Authenticate with Vault by logging in with UserName and Password using Userpass.
Use the token generated in Step-1, Fetch the role id for the app role.
Use the token generated in Step-1, Fetch the wrapped secret id for the app role.
Use the token generated in Step-1, Fetch the unwrapped secret id for the app role.
Use the token generated in Step-1, Login with approle by providing unwrapped secret id and roleid and fetch the token
Use this token to fetch the secrets.
Can anyone please help me resolve below queries
- Is this the right approach or is there a better way of fetching
the secrets as this approach involves multiple api calls.
- In Step-1, i need a username and password to initially
authenticate with vault, which means i need to store these
details on the ETL Server in a file.Is this secure?
- Is there a better way to authenticate client initially with vault
without username and password.