Login for local developer?

AndreKoepke · December 28, 2020, 12:37pm

Hey there,

we starting to use the vault, but now we are stuck at a problem.
Our app using a API and the API needs a secret.
In our k8s- and gitlab-work it works very well, that we can inject the secret via vault.

But … how can we inject vault-secrets into a local environment?
We want something like this:

DEV checking out project (which has none secrets)
DEV starting the application (via Intellij)
One component recognizes, that the secret is not there.
The component open vault-login interface.
DEV enters his data and the received token will be forwarded to the component.
The component will extract all required information from vault and put it to the application (as file or environment-vars)

The process will ensure that,

no secrets has to be in git-repo
only authorized devs will get the secret
rolling-updates of secrets are possible

Any ideas?

wesley-staples · December 28, 2020, 3:27pm

Jetbrains has a plugin here that might help:

Can you elaborate more on “rolling-updates of secrets are possible”?

AndreKoepke · December 29, 2020, 10:45am

Thank you for the hint. Sadly the plugin is only for TeamCity (which are we not using).
But I will have a look for familiar plugins in IntelliJ.

Maybe I used the wrong words. I meant rotation of secrets.
In our case: The api-secret (aka api-password, api-key) automatically changes once a week.

larryebaum · December 29, 2020, 4:23pm

Have you considered Cubbyhole Response Wrapping? This would allow you to deliver a ‘wrapping token’ through whatever mechanism to the local environment. The app could then use that to obtain its ‘real’ token for use to request the needed secrets.