"userpass" auth method for Vault Agent

psevestre · October 1, 2021, 7:46pm

Hi,

Currently it seems that Vault agent does not support the “userpass” method for authentication (if it does, please stop reading…).

The scenario where I think this would be useful is during development, specially for database and other dynamic secrets. The developer would start the agent and it would ask the password interactively. After that, it would just be business as usual.

This approach has the benefit that discourages people from putting Vault credentials in source files that end up in shared repositories.

WDYT ? Is this a bad idea ?

aram · October 1, 2021, 11:36pm

IMHO bad idea, userpass passwords aren’t rotate-able, which means whatever is in clear text in the config file with be the password, which also means anyone who gets a hold of it can how access the secrets with that static password from anywhere.

Userpass has the advantage of rotating automatically.

psevestre · October 7, 2021, 1:36am

Hi aram, it would be a bad idea to put them in a config file, indeed, but maybe you’ve missed this part:

The developer would start the agent and it would ask the password interactively

aram · October 7, 2021, 8:58am

I didn’t. You’re mis-understanding the issue. The problem isn’t the interactivity or how the password is handled.

"PASSWORD"s in general are insecure, how you move or pass that information around does not change that fact.

psevestre · October 7, 2021, 11:55pm

I agree that password in general ARE bad. However, since Vault already supports this authentication method, I think that it should also support it when running in agent mode.

Of course, enabling or not this method on a given Vault installation is another issue altogether…

Anyway, thanks for your opinion.

ebuildy · January 29, 2023, 1:32am

Yep for production use case.

But under dev or local, this make life easier!