Where/how to safely store my approle id for a node.js app in production?

Hi, folks.

I’m having a chicken egg problem thinking on where and how to store my nodejs. approle id to retrieve the secrets from Vault.

My app was using .env file to store db credentials and other secrets until I refactor the code to use Vault using an approle id to authenticate the app and then retrieve the secrets.

Now I’m having the same problem. Where to store the approle ID safely?

I think there is no meaning in storing it on the .env file again since it seems like I am returning to the same initial problem.

My production environment is an AWS EC2 instance so I though about using the AWS Parameters Store, but then again I would need to store AWS credentials in the machine to retrieve the approle id.

Plus, my deployment is made with Bitbucket and AWS Code deploy. It implies that the application files will be overwritten everytime a new deploy is made. I could store these credentials on the deploy scripts but they are versionend and stored in the git repository (so it’s not a safe place to put credentials).

It seems I’m on a loop.

Anyone have a clue on how to solve that?

Thanks in advance.

Best regrads,

José Compadre Junior

Seems like the typical “Secret Zero Challenge”, there are many education articles and videos about this.
In short: you need to use response wrapping to minimize secret exposure. For approle the secret typically will be secret_id (with TTLs and use count limits), not approle_id, which is mostly used as an “accessor”.
There are some basics here: response-wrap-the-secretid