I would like to create a Linux server image that will initially be an AWS AMI but will soon also include Docker and other image types. I want to store my secrets in a local instance of Vault.
Is there any way to do this without requiring additional servers/services to manage the secret ID?
I can bake anything into the image as needed. But all of the use cases I’ve found with AppRole auth rely on external trusted entities that periodically update the wrapping token.
Something somewhere needs to provide your containers with a way they can authenticate themselves to services over the network (including Vault).
The details can vary, but the basic requirement is immutable.
You could bake in a secret - but then all copies of your container, including ones run by other people who get hold of your image, have the same access.
You could have the process that starts the containers inject a secret - but then you need to create or configure that automation.
You could have each container startup be treated as a new identity, have it request new authentication material from a central server, and save it to local storage - but then you need to provide appropriate permissions to each of those new identities created when a new container starts up - and not provide them to rogue processes pretending to be your containers.
It’s a complex problem space, and you haven’t said much about the details of your requirements, so that’s all I can say.
Thanks. In this case the Vault would be local to the service I am running. So there wouldn’t technically be anything going over the network. I am only using Vault here to avoid having secrets stored in plain text. The 2nd option sounds like the best solution for me since I’m already running some other initial provisioning scripts and can setup the Vault and secret then.
If the Vault is running local to the service and had no dependencies, doesn’t that mean the keys to unlock the Vault are also local to the service, and therefore anything in the Vault is effectively as secure as if it were in plaintext on disk anyway?
Yes. This was what prompted my original question to see if there was a standard method for handling this scenario.
At least if there is just one secret that I have to manage for Vault then I have some other options to secure that using encryption that is already compiled into my program.