Using Vault to authenticate

This question may be a little bit “out of the box” so bear with me…

I want to store some creds in Vault to allow an application to log into a remote service. For example imap or do authenticate to a mail server. So far so good, just store the creds in Vault.

Using an API to open a connection and authenticate to some remote service, it typically takes a username and a password. So in my code, I’d need to open the vault, read the secret info and then use it in the API call. My code, however briefly, has access to the secret info.

But is there a way, using Vault, that the auth part happens within the Vault such that my application would never (and could never) get the secret from the vault? Vault essentially calls the connect function with the user’s stored creds and returns to me a working connection.

My question is, does such a thing exist with Vault?

I admit this is a bit out of the box and I am not sure how such a thing might work in a generic way with any given api. Honestly this may not even make any sense at all.

I don’t control the thing the user might authenticate to. In many cases, it is a username/password. It’s not like I can just implement oauth2 on some remote server that I don’t own or control. Furthermore, I don’t want to have access to the user’s creds in case my server gets compromised. This is why I am asking this question. Is there a correct way to deal with this situation?

Michael Grant

You application is connecting to the remote service, so it is your code which handles all communication with that service and therefore needs to send over the authentication details.

Vault is purely a store for secrets, so isn’t a party to any communications with external services (indeed it has no idea what you might use any secrets it returns for).

Your application will indeed handle the plaintext credentials (assuming that is all the remote service supports) and therefore you need to ensure they are handled in a secure manner. Equally however the whole application needs to be created in a security conscious manner, as regardless of the credentials themselves, once authenticated your application will have access to that external service. So for example if it is an IMAP service your application can read, change or delete any messages stored on the server, so needs to be securely written to ensure that access cannot be misused.