I am wondering if there is any guidance/architectural patterns on how to secure server-to-server communication using Vault.
The key benefit I see right now with Vault is that it ensures Identity of Machines and Users. So if Server A talks to Server B over HTTP I actually don’t really need to have a shared secret or anything as long as Server B can somehow validate that Server A is indeed Server A and not someone else. (As there is no need to secure/encrypt the actual communication due to TLS)
So the most naive way to achieve this would be to have a shared authentication secret be stored in Vault and both server and client retrieve at the beginning this secret and check if it’s the right one.
Problems are obviously a shared secret, secret rotation etc…
The next obvious solution would be that the Client writes on startup a secret to Vault’s KV store that the Server then retrieves to validate a SHA256 signature on the HTTP message. This obviously requires one Vault interaction per message but gets away from long-lived and shared secrets.
The best solution IMO would be to have Vault sign some Bearer/JWT Token for the Client that can then be used and locally validated by the Server. But I don’t see an obvious way with the given Secret Engines to do that.
Am I missing something or is there a Tutorial I should be reading that I haven’t stumbled upon yet?