How to best secure server to server communication?

I am wondering if there is any guidance/architectural patterns on how to secure server-to-server communication using Vault.
The key benefit I see right now with Vault is that it ensures Identity of Machines and Users. So if Server A talks to Server B over HTTP I actually don’t really need to have a shared secret or anything as long as Server B can somehow validate that Server A is indeed Server A and not someone else. (As there is no need to secure/encrypt the actual communication due to TLS)

So the most naive way to achieve this would be to have a shared authentication secret be stored in Vault and both server and client retrieve at the beginning this secret and check if it’s the right one.
Problems are obviously a shared secret, secret rotation etc…

The next obvious solution would be that the Client writes on startup a secret to Vault’s KV store that the Server then retrieves to validate a SHA256 signature on the HTTP message. This obviously requires one Vault interaction per message but gets away from long-lived and shared secrets.

The best solution IMO would be to have Vault sign some Bearer/JWT Token for the Client that can then be used and locally validated by the Server. But I don’t see an obvious way with the given Secret Engines to do that.

Am I missing something or is there a Tutorial I should be reading that I haven’t stumbled upon yet?


I could be mistaken but it sounds like you’re describing something that Consul’s Service Mesh solves for: Service Mesh | Consul by HashiCorp

1 Like

Yes but we are not using Consul - just Vault.
Also the SSL/TLS is already in place - so it’s really mostly about identity at this point which I believe must be easily solvable with vanilla Vault