What is the right authentication method for a Vault intermediary?

Hi there,

I have a Vault instance running in an internal company network. In order to make it accessible from the outside (internet), an intermediary service has been installed into a DMZ. This way, it is possible to connect from the internet to the intermediary service and then to Vault in order to access certain secrets.

My question refers to the authentication part in that scenario. I would like to use mtls between Vault and the intermediary service. However, if a request from an external service contacts the intermediary, I would like to forward the security context from the intermediary service to Vault for security & audit purposes. External services have their requests signed by JWT tokens.

In order to authenticate the intermediary service (mtls) as well as the external service (JWT) at Vault, what are my options?


Turns out, the answer is quite simple. Just configure an additional Vault listener that enforces mtls. This way, the intermediary service communicates with Vault using mtls while allowing to configure any desired auth backend for communication between Vault and a service in the internet.