Recommended auth from apps to access secrets?

What’s the recommended auth method to access secrets in vault from an app? I get everything, and we can do “non-authed” access to the secrets from the API… but “having secrets exposed via the network” seems even less secure than having secrets on disk in persistent volumes. The docs don’t seem to give any good guidance here.

I found a docker volume plugin to expose terraform secrets via docker volume mounts, but it seems to be abandoned and Hasicorp doesn’t seem interested in maintaining it?

I’ve found HasiCorp pretty unfriendly to deal with so far… why should I invest time/energy in them if there is such a “piss off” mentality? Hell… this forum isn’t linked anywhere from the Hasicorp homepage (which is why it’s so empty)

1 Like

First, I must say that I personally found HashiCorp very friendly to deal with, and have very wide variety of tools to “get the job done”.
That being said, not sure why HashiCorp should maintain docker-volume-libsecret, but that’s another issue.
Can you please elaborate on the environment you run with? the language you use to run with?
Have you checked Vault agent as a side-car? consul-template as a side car? or if you use java, for example you have libraries like spring cloud vault and there is also now a new initiative called CSI (for K8s), though I am not sure how mature it is yet.

3 Likes

In response to your question about the link on the main page, that is coming soon. Thank you for your feedback!

First, I must say that I personally found HashiCorp very friendly to deal with, and have very wide variety of tools to “get the job done”.

It might be just the direction i’m coming to Hasicorp from. I just look at the documentation, and the (limited) responses i’ve had from folks at Hashicorp, and haven’t really gotten the warm fuzzies from the community standpoint.

I’ve searched the website, and really not seeing any community, (no slack channels, no irc channels, no forum links, etc) just a lot of points to getting a support contract and asking for a support ticket.

The documentation is there, but it’s lacking the “how”. (this is a good example, I found lots of docs on authenticating via oauth, etc… but nothing really on how approle works (or what it even is). The expectation can’t be that applications gain access to secrets in vault via oauth or username / password pairs.

The Vault Agent side car might be an option, but there really isn’t anything in the docs to connect the dots.

We run ~15 production apps via docker-compose, with the eventual goal of moving to a self-hosted k8s cluster or nomad. (thus the complaints above make me lean towards k8s since the docs seem better)

On the point about documentation, have you checked out https://learn.hashicorp.com/vault/ ? HashiCorp has put a big effort in improving education efforts, and what you’re asking for sounds like it would be found in those guides.

RE: the community, This discussion forum is actually quite brand new; it was announced just a week ago (https://www.hashicorp.com/blog/introducing-the-hashicorp-community-portal), which is why there isn’t much here yet. There’s also a Google Groups list that has a number of individuals on it (https://groups.google.com/forum/#!forum/vault-tool), though I think the plan is to emphasize this discussion forum rather than the Google Groups list.

On your specific question about the recommended auth method, the short answer is, it depends. It depends on the details of your environment. f you have workloads in AWS, then the AWS auth method might be right for you, for example. If you have an existing PKI that works well for you, then maybe you want to use the cert auth method. If you’re running on k8s (as you said you’re planning), then maybe the k8s auth method is right for you. And so on. There’s no singular auth method that is recommended for all use cases. If you have questions about specific auth methods, then please post details about those auth methods and the setup of your environment. As for AppRole, there’s some documentation on it available at https://www.vaultproject.io/docs/auth/approle.html – it’s more in line with the “what it is” rather than “how to use it”/tutorial form, but I wouldn’t say that there’s nothing on how AppRole works. If you have specific questions that aren’t covered in the documentation, then please feel free to post them here for clarification. Also, feel free to open a PR to improve the documentation with what you learn to help others in the community!

Hi Alex,

Sorry you have had a bad experience, I can assure you we do care about our users and being able to provide support. One of the main reasons we created this forum is to standardise that interaction and to be able to create better community interaction around the Open Source products. That said it was only launched about 10 days ago and it will take time to build momentum.

Onto your original question, Vault provides a number of different authentication methods. The one which you use depends on the application and platform it is running on. For example, if you are using Kubernetes then the Kubernetes Auth Method which uses K8s service tokens might be the best choice. If you are running your application on a Virtual Machine in the cloud then you can leverage something like the AWS auth method which uses cloud meta data.

The process is pretty much the same regardless of which auth methods you use:

  1. Application authenticates to Vault using local secrets like cloud metadata, k8s service token
  2. Vault validates this information and returns a token which has policy attached to it
  3. The token is used to access secrets and other functions

My preferred approach for how this works in practice is that I use Vault Agent as a sidecar application which manages authentication:

And Consul Template as a second sidecar to manage the retrieval and life cycle of my secrets:

I feel this approach gives me the best flexibility and security and works with many different workloads.

Regarding docker-volume-libsecret, this is a community project not created by HashiCorp, we only have a finite number of engineers, most of which are working on the core Open Source products.

If you could describe your current architecture in a little more detail (k8s, Nomad, ECS, etc) I can try an give further pointers.

Kind regards,

Nic

1 Like