It doesn’t appear that HashiCorp vault offers a managed solution and as a result, I will have to roll my own. This is subjective but how are you managing secure access to your internal users?
- Are you creating DNS e.g. vault.domain.com and restricting access to this through VPN?
- Are you creating DNS e.g. vault.domain.com and restricting access to this via IP range?
I’m looking for suggestions on securing the vault stack and ensuring that a handful of users can log in and create secrets as needed.
Context: https://www.vaultproject.io/
I’m in the same situation in fact.
Did you now that some authentication engines can be configured to allow/deny access based on CIDR? See e.g. https://www.vaultproject.io/docs/concepts/tokens#cidr-bound-tokens.
In my case because of integration with an external SAAS product the cluster needs to be accessible online. As a loadbalancer will be in front of the Vault cluster I was thinking of putting several ACLS on the loadbalancer. E.g. /ui endpoint only accessible from certain ranges. I hope the other backends can be protected like that too.
1 Like
thank you! I wasn’t aware of the CIDR option but that’s good to know. I’ve been reading through the documentation.