secure secrets stored in configuration files using Vault

[Elizabeth]

Hi,

    I'm a new user of Vault and have read most of the documentation and tried the basics of using Vault. We use several open-source components as part of our SaaS services.

These open-source components store several passwords in the clear in configuration files. This is a common practice and I wish to avoid this. 

   In order to achieve the above using Vault, would it mean I change the logic in the code to read the passwords from Vault instead of reading them from the configuration file (assuming I pre-configure Vault with these secrets, of course)? 

Is there a better and more efficient way to use Vault in the above scenario without having to modify the app code logic?

thanks,

Elizabeth

[Simon Dick]

The easiest way for you would be to use consul-template and populate the config file that way

[Simon Dick]

Obviously assuming you're using consul too...

[Elizabeth]

Thank you for that tip. I wasn't currently planning to use Consul but using Consul with Vault certainly solves my problem - so looks like the way to go.

  

[Jeff Mitchell]

Keep in mind that if you use C-T to populate the config files, you'll
want those written out into a place that is ideally non-durable
storage and access controlled. Otherwise you're basically back at the
same situation.

Another possibility if you wish to avoid Vault logic in your
applications would be to use https://github.com/hashicorp/envconsul to
launch your applications with populated environment variables.

Best,
Jeff

> --
> This mailing list is governed under the HashiCorp Community Guidelines -
> https://www.hashicorp.com/community-guidelines.html. Behavior in violation
> of those guidelines may result in your removal from this mailing list.
>
> GitHub Issues: https://github.com/hashicorp/vault/issues
> IRC: #vault-tool on Freenode
> ---
> You received this message because you are subscribed to the Google Groups
> "Vault" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to vault-tool+...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/vault-tool/ea5a646a-abcb-4f1f-97a1-00f6a68a0fed%40googlegroups.com.
>
> For more options, visit https://groups.google.com/d/optout.

[Elizabeth]

That's an  interesting point. So when does C-T populate the config files - is it on system startup when the consul-template daemon is  run or is it when the app tries to read the config file.? I'd assumed the latter;  in which case the values would get populated only in memory , I thought. 

Thanks for bringing it up.

[James Phillips]

Hi Elizabeth,

CT renders the config files when it starts up and whenever it detects that the contents need to change by doing a long poll against Consul and/or Vault, and by monitoring things like lease times for secrets. It is't aware of any behavior from the application consuming the file. I think Jeff was suggesting having these files get rendered to a non-durable storage area like a RAM disk with file permissions set that only the application can access. This would still be using files, but they could be more ephemeral than files with secrets that are managed without Vault/CT since they would come to be in a secure way and not have to be placed onto the system from somewhere else.

-- James

To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/eb632394-a67a-4e39-907c-cde05f244961%40googlegroups.com.

[Elizabeth]

Thank you for that explanation. 

By the way, on digging more into the secret backends available in Vault, I realized that by using the mysql and Cassandra and few other secret backends, the config file issue gets resolved by the use of dynamic secrets for those particular applications. We also use couchDB which is not present currently. But this is an awesome feature among all the other cool things Vault does!!!

[Elizabeth]

Correction - the dynamic secrets feature with some of the secret backends avoid services accessing these apps to have to hardcode credentials - still very useful. 

On Thursday, April 21, 2016 at 9:02:38 PM UTC-5, Elizabeth wrote:

Thank you for that explanation. 

By the way, on digging more into the secret back-ends available in Vault, I realized that by using the mysql and Cassandra and few other secret backends, the config file issue gets resolved by the use of dynamic secrets for those particular applications. We also use couchDB which is not present currently. But this is an awesome feature among all the other cool things Vault does!!!

[Jeff Mitchell]

Glad to hear it!

> https://groups.google.com/d/msgid/vault-tool/4da15b59-6734-4568-8c35-97198f7e5b5b%40googlegroups.com.