In HashiCorp Vault,
There is the cloud authentication methods like AWS, Azure, GCP
And also the cloud secret engines, Is it usually coupled?
Meaning that when using the cloud based secret engines, usually it will go with an cloud authentication method?
Or there are use cases that a customer is using the cloud authentication methods just to authenticate?
I know that it’s possible, the question if it’s common?
Thanks!
Hi @Bojack!
You do not have to use the cloud auth methods in conjunction with the cloud secrets engines.
For example, if your application/workload is running in the cloud (AWS, GCP, Azure) and needs to connect to Vault to pull static/dynamic credentials or use Vault for encryption/tokenization purposes then you can leverage the cloud specific auth method as a way to authenticate into Vault (as opposed to using something like approle auth).
If you have an application that needs to talk to the cloud then you can use Vault to generate those credentials using the specific cloud secrets engine. This could be a CI/CD pipeline on GitHub/GitLab that uses the JWT auth method or an on-premises application running on Kubernetes that uses the kubernetes auth method.
How an application authenticates to Vault is different than the secrets the application needs to pull from Vault.
I like to start with asking where the workload is running (AWS, Azure, GCP, Kubernetes, CI/CD, VM, etc) as that usually dictates what auth method to use!