This question may be a little bit “out of the box” so bear with me…
I want to store some creds in Vault to allow an application to log into a remote service. For example imap or do authenticate to a mail server. So far so good, just store the creds in Vault.
Using an API to open a connection and authenticate to some remote service, it typically takes a username and a password. So in my code, I’d need to open the vault, read the secret info and then use it in the API call. My code, however briefly, has access to the secret info.
But is there a way, using Vault, that the auth part happens within the Vault such that my application would never (and could never) get the secret from the vault? Vault essentially calls the connect function with the user’s stored creds and returns to me a working connection.
My question is, does such a thing exist with Vault?
I admit this is a bit out of the box and I am not sure how such a thing might work in a generic way with any given api. Honestly this may not even make any sense at all.
I don’t control the thing the user might authenticate to. In many cases, it is a username/password. It’s not like I can just implement oauth2 on some remote server that I don’t own or control. Furthermore, I don’t want to have access to the user’s creds in case my server gets compromised. This is why I am asking this question. Is there a correct way to deal with this situation?