I think it depends on what you’re ultimately trying to accomplish.
The response wrapping is good for passing secrets to systems that aren’t easy to integrate authentication with Vault or to pass secrets to a system that doesn’t have direct access to the secret(s) within Vault.
I’m also making some assumptions about your use case that may not be valid, so it may be helpful to provide a little more detail around your scenario.
My first assumption is that when you’re referring to Vault LDAP you are referring to Vault’s LDAP authentication method (as opposed to Active Directory or OpenLDAP secrets engines or LDAP credentials to be passed to the application).
My next assumption is that the secret the application needs is mostly static and needed only at application startup. The secret is unlikely to change while the application is running and therefore you don’t need to renew or re-retrieve the secret until application restart.
Next I’m assuming your application server does not have an existing auth method/role setup for Vault (e.g AppRole or AWS/GCP/Kube login). However, your Puppet Bolt server does have an established authentication method configured.
I’m not entirely sure what the LDAP credentials are used for, is it to authenticate to Vault or used by the application at startup?
If that’s all correct then from what I understand you are looking to do the following:
- Puppet Bolt server deploys application to target server
- Puppet Bolt server authenticates to Vault
- Puppet Bolt server retrieves secret
- Puppet Bolt server drops secret on target server - this could be a wrapped token (preferred as it limits potential exposure), the actual clear-text secret, or a single-use token (or AppRole credentials) with a policy that allows reading the target secret(s)
- Target server application starts and reads secret (either via unwrapping the wrapped secret, reading the clear-text secret, or authenticating to Vault with the single-use token and then retrieving the secret directly)
If you could confirm/correct the above that would help me, and others, provide a better recommendation.