Multi-process applications (e.g. Flask) for x509-based authentication

Hello,

• I am relatively new to Vault so would appreciate any guidance from the community.

• I am using the Community edition.

• I am looking to implement x509-based authentication. In fact I am also thinking of leveraging Vault’s CA capability and Vault Agent.

• I have the following questions:

  1. How does Vault handle x509-based authentication for an application with multiple processes, e.g. a Flask app running with > 1 worker process?
  2. Can multiple applications share secrets? Can one application write the secret and another read and delete it?
  3. Where can I find documentation for how Vault manages API tokens?

I would greatly appreciate any help!
Thanks very much in advance!

Hello @maccamb,
You can find the documentation for mTLS authentication via CLI and via API.
Note: Only the public key can be imported when configuring the authentication method.

You can use the same cert across multiple processes, but I think that it’s better use a different cert for each process.

Blockquote Can multiple applications share secrets? Can one application write the secret and another read and delete it?

It depends on which secret engine are you using. If you’re using kv secret engine than yes. You can define 2 separate tls roles each with its own policy:

• One role can have permissions to create and update secrets
• The other can be limited to reading and deleting them.
  If you’re using dynamic secrets (such as those managed by the GCP secret engine), Vault will generate a new, unique secret for each read operation — so secrets aren’t reusable in the same way.

Blockquote Where can I find documentation for how Vault manages API tokens?

Here are some useful links on how Vault handles tokens:

Many thanks for your guidance! Greatly appreciate it!