![]() Giving apps non-platform credentials is better (it associates identity with the application) but you still have secure-handling challenges.Īpplications authenticating through the platform is best, but not every platform has Vault auth integration. Giving apps a token from the sky is least-preferred - you have to guarantee secure delivery of that token yourself, and you also don’t get application identity association unless you establish it yourself via entity aliases for every app token you create. By bypassing authentication entirely and using a token provided directly to the application - what I call “tokens from the sky”.By using operator-provided non-platform authentication (usernames/passwords).By using underlying platform identity (cloud provider IAM roles, Kubernetes service accounts, etc.).Apps can resolve the dilemma, authenticate to Vault, and retrieve a token in one of three basic ways: | Medium » When You Need AppRole: Secret Zeroīefore applications can retrieve secrets from Vault, they need to be given a secret from which they can authenticate - this is a bit of a chicken-and-egg conundrum we refer to as the “secure introduction” or “secret zero” problem. Related Content How I’d attack your HashiCorp Vault (and how you can prevent me): System Hardening.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |