"userpass" auth method for Vault Agent


Currently it seems that Vault agent does not support the “userpass” method for authentication (if it does, please stop reading…).

The scenario where I think this would be useful is during development, specially for database and other dynamic secrets. The developer would start the agent and it would ask the password interactively. After that, it would just be business as usual.

This approach has the benefit that discourages people from putting Vault credentials in source files that end up in shared repositories.

WDYT ? Is this a bad idea ?

IMHO bad idea, userpass passwords aren’t rotate-able, which means whatever is in clear text in the config file with be the password, which also means anyone who gets a hold of it can how access the secrets with that static password from anywhere.

Userpass has the advantage of rotating automatically.

Hi aram, it would be a bad idea to put them in a config file, indeed, but maybe you’ve missed this part:

The developer would start the agent and it would ask the password interactively

I didn’t. You’re mis-understanding the issue. The problem isn’t the interactivity or how the password is handled.

"PASSWORD"s in general are insecure, how you move or pass that information around does not change that fact.

I agree that password in general ARE bad. However, since Vault already supports this authentication method, I think that it should also support it when running in agent mode.

Of course, enabling or not this method on a given Vault installation is another issue altogether…

Anyway, thanks for your opinion.