Konubinix' opinionated web of thoughts

Hashicorp Vault

fleeting

vault

Hashicorp

KV - Secrets Engines | Vault | HashiCorp Developer

AppRole - Auth Methods

bypassing authentication entirely and using a token provided directly to the application — what I call “tokens from the sky”.

https://www.hashicorp.com/blog/how-and-why-to-use-approle-correctly-in-hashicorp-vault?product_intent=vault

Giving apps a token from the sky is least-preferred — you have to guarantee secure delivery of that token yourself, and you also don’t get application identity association unless you establish it yourself via entity aliases for every app token you create

https://www.hashicorp.com/blog/how-and-why-to-use-approle-correctly-in-hashicorp-vault?product_intent=vault

Role ID is not sensitive and can be used for any number of instances of a given application; you can hardcode it into things like VM or container images

https://www.hashicorp.com/blog/how-and-why-to-use-approle-correctly-in-hashicorp-vault?product_intent=vault

Secret ID, by contrast, is:

Intended to be access-limited so it can be used only by authorized applications; it may be usable by only a single application or even a single app instance. Intended to be short-lived to reduce the window for compromise; it may be valid for only seconds.

https://www.hashicorp.com/blog/how-and-why-to-use-approle-correctly-in-hashicorp-vault?product_intent=vault

AppRole pull authentication | Vault | HashiCorp Developer

Notes pointant ici