Hashicorp Vault

Fleeting

• Référence externe : https://www.hashicorp.com/blog/how-and-why-to-use-approle-correctly-in-hashicorp-vault?product_intent=vault

vault

Hashicorp

KV - Secrets Engines | Vault | HashiCorp Developer

• Référence externe : https://developer.hashicorp.com/vault/docs/secrets/kv/kv-v2

AppRole - Auth Methods

• Référence externe : https://developer.hashicorp.com/vault/docs/auth/approle

  

  — https://www.hashicorp.com/blog/how-and-why-to-use-approle-correctly-in-hashicorp-vault?product_intent=vault

  Before applications can retrieve secrets from Vault, they need to be given a secret from which they can authenticate — this is a bit of a chicken-and-egg conundrum we refer to as the “secure introduction” or “secret zero” problem.

  — https://www.hashicorp.com/blog/how-and-why-to-use-approle-correctly-in-hashicorp-vault?product_intent=vault

bypassing authentication entirely and using a token provided directly to the application — what I call “tokens from the sky”.

— https://www.hashicorp.com/blog/how-and-why-to-use-approle-correctly-in-hashicorp-vault?product_intent=vault

Giving apps a token from the sky is least-preferred — you have to guarantee secure delivery of that token yourself, and you also don’t get application identity association unless you establish it yourself via entity aliases for every app token you create

— https://www.hashicorp.com/blog/how-and-why-to-use-approle-correctly-in-hashicorp-vault?product_intent=vault

Role ID is not sensitive and can be used for any number of instances of a given application; you can hardcode it into things like VM or container images

— https://www.hashicorp.com/blog/how-and-why-to-use-approle-correctly-in-hashicorp-vault?product_intent=vault

Secret ID, by contrast, is:

Intended to be access-limited so it can be used only by authorized applications; it may be usable by only a single application or even a single app instance. Intended to be short-lived to reduce the window for compromise; it may be valid for only seconds.

— https://www.hashicorp.com/blog/how-and-why-to-use-approle-correctly-in-hashicorp-vault?product_intent=vault

AppRole pull authentication | Vault | HashiCorp Developer

• Référence externe : https://developer.hashicorp.com/vault/tutorials/auth-methods/approle

Notes pointant ici

• Advanced Data Protection
• Auto-unseal
• debug vault plugin
• difference between Vault and traditional privilege access management?
• how to add auto initialization in the vault helm chart from hashicorp
• how to organise the inter subchart networkpolicies?
• IAM vs PIM vs PAM vs HashiCorp Vault vs Skub
• immutability-io/vault-ethereum: A plugin that turns Vault into an Ethereum wallet.
• immutability-project/VAULT.md at master · immutability-io/immutability-project
• in vault unauthenticated == login
• integrate keycloak with hashicorp vault
• is vault a software HSM?
• keyring vs wallet
• Plugin System | Vault by HashiCorp
• secret
• security model of vault
• use unauthenticated paths with vault
• Using Vault to Build an Ethereum Wallet
• Vault Auto-unseal using Transit Secrets Engine
• Vault Enterprise
• vault migrate
• vault seal migration
• vault secret wrapping
• Vault Transform
• vault transit

Permalink