Secret invalidation after use


In company I work for, I’ve launch vault, and try to migrate secrets to it.
In that company, there is a policy, require to “one-use of administrator passwords”, like root, db admin, etc.

In other words, when password was set-up, it is stored in vault. In case, when someone need that password - he/she check it out, and after use - password SHOULD be changed.

For most accounts - this could be solved by dynamic passwords. When person need administrative access, new account created, with time limit, and password can’t be re-used later.

But there are some systems, that has no such secret engine, or has no ability to create plugin to implement this strategy.
For example - stand alone PC without network connection (that still require follow policy for Administrator account).

My question is: what is possible way, to use Vault in that case ?
Currently I have one possible solution - modify KV secret engine, and append functionality, like - when secret was readed, we set some mark in metadata, and later show alert, that secret was compromized and should be changed. Also, such secretes could be monitored via audit log or some job, and notify responsible, block access etc.

Or, may be, there are another “Vault-way” method to organize management for such passwords?

That’s what the “dynamic secret” engines do for Vault. It creates a temporary user+password for access, which is then removed.

Dynamic secret is not available for everything, Check the left menu for the “default” engines. Database - Secrets Engines | Vault by HashiCorp. You can also use a custom as well as write your own plugins.

The “KV” engine aka secret engine … is for static secrets only.

In regard to your offline systems, I think what you have proposed is logical and probably the most you could do with Vault or any other similar product aside from having a 2FA token configured locally on the device (where you would need more than just a password to log in).

You could use Splunk, Kibana, or some other system that you feed your Vault audit logs to to trigger an alert whenever a “one-time-use” secret is retrieved.

If you are using Vault Enterprise then Control Groups might be of use in this case as well.