Cron job reads secret, script writes new secret on demand
442 views
Skip to first unread message
Steve76
Apr 23, 2016, 12:46:30 AM4/23/16
to Vault
If I need to:
- run cron jobs with user secrets (no manual user authentication)
- have secrets written on demand (running process that has read access to all user secrets)
how to do you mitigate risks for that? I thought of the following:
- finest granularity, so Vault tokens for individual <user-secret>, not just user
- expire user tokens after each cron job
- audit secret access and lock down if it doesn't match number of cron jobs
Here's what I'm struggling with, the last requirement for writing secrets on demand. I tried creating a token that only had rights for auth/token. Tokens created with that, I tried giving a policy allowing to read secret/<user-secret> . That didn't work, because the child had a policy not available to the parent.
I thought of expiring that user, but that leads me to same situation. I will need another parent token that has access to all user secrets. If I'm wrong, let me know.
No way I'm I storing that on the server anywhere. Not with restricted permissions, not with encryption. My only thought is a prompt when I startup my "on demand" script to enter a root-like Vault password, like you do with the command line and sudo.
If anyone has a better way, please let me know.
Jeff Mitchell
Apr 23, 2016, 1:44:43 PM4/23/16
to vault...@googlegroups.com
Hi Steve,
You might want to look into roles in auth/token, introduced in 0.5.2.
They allow access to generate tokens that do not have the same set of
policies as the parent.
--Jeff
> --
> This mailing list is governed under the HashiCorp Community Guidelines -
> https://www.hashicorp.com/community-guidelines.html. Behavior in violation
> of those guidelines may result in your removal from this mailing list.
>
> GitHub Issues: https://github.com/hashicorp/vault/issues
> IRC: #vault-tool on Freenode
> ---
> You received this message because you are subscribed to the Google Groups
> "Vault" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to vault-tool+...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/vault-tool/f1ce4066-4b4c-416e-9db8-b681979556a0%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
You might want to look into roles in auth/token, introduced in 0.5.2.
They allow access to generate tokens that do not have the same set of
policies as the parent.
--Jeff
> This mailing list is governed under the HashiCorp Community Guidelines -
> https://www.hashicorp.com/community-guidelines.html. Behavior in violation
> of those guidelines may result in your removal from this mailing list.
>
> GitHub Issues: https://github.com/hashicorp/vault/issues
> IRC: #vault-tool on Freenode
> ---
> You received this message because you are subscribed to the Google Groups
> "Vault" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to vault-tool+...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/vault-tool/f1ce4066-4b4c-416e-9db8-b681979556a0%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages