What is the right authentication method for a Vault intermediary?

pat · January 11, 2021, 3:46pm

Hi there,

I have a Vault instance running in an internal company network. In order to make it accessible from the outside (internet), an intermediary service has been installed into a DMZ. This way, it is possible to connect from the internet to the intermediary service and then to Vault in order to access certain secrets.

My question refers to the authentication part in that scenario. I would like to use mtls between Vault and the intermediary service. However, if a request from an external service contacts the intermediary, I would like to forward the security context from the intermediary service to Vault for security & audit purposes. External services have their requests signed by JWT tokens.

In order to authenticate the intermediary service (mtls) as well as the external service (JWT) at Vault, what are my options?

Thanks!

pat · January 21, 2021, 8:00am

Turns out, the answer is quite simple. Just configure an additional Vault listener that enforces mtls. This way, the intermediary service communicates with Vault using mtls while allowing to configure any desired auth backend for communication between Vault and a service in the internet.

Topic		Replies	Views
Service to Service Authorization and Authentication using JWT Vault vault	0	592	August 4, 2020
Vault for inter-service authentication Vault	0	155	November 25, 2022
How to use VaultTemplate when my vault service turns on client authentication Vault connect , vault	1	583	October 24, 2022
Using Vault to authenticate Vault	1	341	February 17, 2021
App to Vault communication using Service Mesh mTLS within Kubernetes Vault	1	342	September 2, 2022

What is the right authentication method for a Vault intermediary?

Related topics