Hi, guys!
I’ve just started to use Vault for our applications, and I’ve noticed few areas for improvement.
So I want to gather more information how it could be done.
I used kv secret engine and have created next path structure:
/{env}/services/{service}
env could be sand/stage/prod1/prod2…
services could be app1/app2/app3…
The first problem is - secrets duplications .
For example: app1 and app2 need to communicate between each other and they have keys/secrets to do that. So I need to go and add keys/secrets in two places at least: /{env}/services/app1 and /{env}/services/app2
I came up with solution as master-slave secrets. For example:
- Create /{env}/common secret and gather all duplications in this place.
- Create /{env}/nested secret and set there secrets as common secret key and paths to services: APP1_USERNAME=/{env}/services/app1,/{env}/services/app2
- Create l-function to fetch /{env}/common secrets by keys from /{env}/nested and write them to paths defined in /{env}/nested secret values
- Trigger function once an hour/two/three…
The second problem is - how to automate secrets adding, or how to notify developers at least.
For example: Developer finished to develop new feature that should use new configuration parameter, and forgot to push it into vault.
Pull request was successfully reviewed and merged, new code deployed and doesn’t started due to lack of parameters.
I have some thoughts to use gitHub actions for code scanning and checking secrets in vault.
Is there any practices to handle such situations?