We are looking into using Vault to store our database password and other secrets. Not looking into password rotation right now. The constraint being that I’m not allowed to generate any AWS access keys. We also wish to avoid vault being compromised in case our instances are compromised somehow. Our application is written in Python and hosted on AWS ElasticBeanstalk. Had to avoid using beanstalk environment variables as they are present in plaintext on instances.
I tried implementing the approle method as follows:
- Store role-id in codebuild environment and fetch single use a wrapped token.
- Write this token to a file which the application code, during startup after deploy would read and fetch the secrets to initialize the app.
- Advantage was that the token even though present on the instance wouldn’t not have worked anymore, but this would fail in case of auto-scaling as beanstalk would deploy the same build on the other instances as well and the token would not have worked there.