Python code to access static secret to access snowflake database

Vault
1

Hi,
It was just one week I started learning vault and its features, and now started doing few experiments using it.

Using hvac python library, I would like to retrieve the credentials and use them to access snowflake database. You may say, why I shouldn’t use dynamic secrets but this is another day for the experiment.

In the hvac library, it was mentioned that I should have a token (VAULT_TOKEN) and may be certificate path,

client = hvac.Client( url=‘https://localhost:8200’,
token=os.environ[‘VAULT_TOKEN’],
cert=(client_cert_path, client_key_path),
verify=server_cert_path)

client.is_authenticated()

It seems I need to set VAULT_TOKEN and also specify client certificate path. This seems that I need to expose the access information VAULT_TOKEN and other information at the python code.

My questions are:

  1. How securely or the best way my python code can get the static secret from the vault? If I get periodic token, it could be fine but still I need to login to the vault using root or another token to get temporary token, in turn they are again exposed.
  2. I will deploy the application in docker. Do I need to set the VAULT_TOKEN environment variable in the Dockerfile? But the token is again revealed.
  3. We have also kubernetes cluster but I not much expert in that area.
  4. Is there something that I can do with jenkins?

I was juggling here and there to get better understanding for long time but not much fruitful. Your hints or references could help me a developer and be a part of the community.
I hope this community helps me.

Please do not downvote or ignore my questions if you think they are irrelevant to ask or need more effort. Your hints would help me to jump in the right direction.

Thank you very much,
Hari

2

There a many options, depending on your security posture and available systems.

In general I’d recommend not using environment variables for secrets, instead putting the secrets in files. You will need some form of secret to be able to login/call Vault.

You could use AppRole to login to Vault. For that you’d need to pass a role ID & secret ID to the application, which can then be used to login and fetch a token. That token could then be renewed by the application as long as it is running. You would need to protect those two values (e.g. in correctly permissioned files) as anyone who can get hold of them would be able to login to Vault themselves. You can minimise the risk by also setting allowed CIDR ranges as well as deleting the files once read by your app.

Another option is just passing a token to the application upon startup. If doing that I’d suggest making it wrapped token which can only be unwrapped once. You’d then know if someone got hold of the token before the app managed to, as well as preventing others who can see it from using it going forward.

Ultimately there are certain situations you can’t prevent - if you can read memory for example you could extract the token, even if it had been removed from disk. The best you can hope for is to reduce the risk of exposure (delete files once used, wrapped tokens) and increase the likelihood of detection (audit log reviews, CIDR restrictions, wrapped tokens, periodic token revocations and renewals).

1 Like
3

thanks stuart. I have now better understanding than before.