Hide from developers

Hello i am new to Vault and still trying to understand it . I have a question. We want to prevent even our developers to get key values but still use in aspnet core.Token’s read permission they are able to see value of the key. Is there any way to hide values from them ?

Yes, Vault supports that, but what you have is a segregation of duties problem.

The usual way to do that is to give your application an AppRole to authenticate to Vault. You can also restrict that AppRole to a subnet so that if someone steals the credentials they will be unusable elsewhere.

Developpers will authenticiate to Vault (if required) with their own personnal account. Vault can be linked to your corporate Active Directory (works well, did that for many clients).

With that set up, you would create policies to allow the application (using its AppRole and secret-id) to read that secret value, but the developpers would not be able to read it. You could restrict their rights to list the secret.

But if your developpers are Windows administrators, they can log in the server, read the AppRole's secret-id, impersonnate the application and read the secret. This is possible because your developpers have both knowledge and access. You need segregation of duties here.

Vault will have Kerberos support soon, so I guess you could have the application use a domain account and authenticate to Vault with Kerberos. But it does not solve the segregation of duties problem you have, it only makes it harder for a developper to impersonnate the application.

No harm putting the application’s secret-id in your web.config file and encrypt it. But again, you are just making it harder to impersonate.

So in short, Vault is a great but with it or any other product, you will always end up with a password in a file. You get to pick the file, that’s it. At least Vault reduces reduces the attack surface and allows you to implement least privilege and need to know easily.