I am building a Windows service which will run as as a dedicated service account. Is there a way to protect the secrets stored in Vault using the Windows user account? For example, I would like my service to automatically have access to the secrets, but not any other user in this Windows box.
I am looking at the “Vault Agent Windows Service” but can’t really understand whether it provides this functionality.
No, Vault doesn’t have a native Windows authentication method.
It might be, if in an Active Directory domain, possible to press the Kerberos auth method into use, but Kerberos is a very difficult thing to set up without extensive prior experience.
Your easiest option is to just give the service a file on disk containing a credential it can use, and restrict access using Windows file permissions.
Thank you @maxb ! I was hoping to avoid the usage of NTFS permissions as a means of protection. I’ll keep on looking for other solutions then.