Secure access to vault


I am thinking of deploying Vault in HA (2 nodes for each availability zone) + DynamoDB as a backend storage behind an ALB with ASG and so on AWS.

Our current setup is based on a multi-account strategy, meaning that we have multiple AWS accounts in which we manage several IAM Service Users and other type of static secrets.

The AWS ALB allows authenticate users through OICD and I was thinking on enabling Google OAuth at the ALB level to control the access to the UI but then, it adds another layer on top and more complexity when trying to interact with the Vault API as it will require to auth. several times …

I am trying to get my head around about blocking public access to the UI/API but at the same time allowing access to those other AWS accounts.

Note: Bastion and VPN’s are not options as whitelisting external services is complicated …

Thanks in advance.