TTL secrets and app-id authentication questions
485 views
Skip to first unread message
Francisco Javier Romero Mendiola
Jul 19, 2016, 6:45:18 AM7/19/16
to Vault
I am in a pre-production environment with Vault and Consul cluster. i have some questions about TTL and app-id authentication:
-TTL: I have read documentation but I am not sure about it. Does it mean if I write a secret with "ttl=10m" after 10min the secret will dissapear?
#vault write secret/test key=value ttl="10m"
Success! Data written to: secret/test
#vault read secret/test
Key Value
--- -----
refresh_interval 600
test key
ttl 10m
And what does "refresh_interval" mean?
-APP-ID: I will use Vault for storing secrets from applications like configuration, credentials,certificates... But I do not keep up those machines, I will provide authentication for that applications and nothing more. Should I use app-id auth or user&pass?
Regards.
Jeff Mitchell
Jul 19, 2016, 9:08:21 AM7/19/16
to vault...@googlegroups.com
Hi Francisco,
Vault does not remove secrets from the generic backend. The TTL is
merely a hint to readers as to how often they should refresh. See the
documentation at
https://www.vaultproject.io/docs/secrets/generic/index.html for more
details.
App-ID vs. userpass is up to you. They're not all that dissimilar --
both have a (potentially) public component and a secret component.
Best,
Jeff
> --
> This mailing list is governed under the HashiCorp Community Guidelines -
> https://www.hashicorp.com/community-guidelines.html. Behavior in violation
> of those guidelines may result in your removal from this mailing list.
>
> GitHub Issues: https://github.com/hashicorp/vault/issues
> IRC: #vault-tool on Freenode
> ---
> You received this message because you are subscribed to the Google Groups
> "Vault" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to vault-tool+...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/vault-tool/309ad975-00e5-44a4-9ec4-b685e312e5dd%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
Vault does not remove secrets from the generic backend. The TTL is
merely a hint to readers as to how often they should refresh. See the
documentation at
https://www.vaultproject.io/docs/secrets/generic/index.html for more
details.
App-ID vs. userpass is up to you. They're not all that dissimilar --
both have a (potentially) public component and a secret component.
Best,
Jeff
> This mailing list is governed under the HashiCorp Community Guidelines -
> https://www.hashicorp.com/community-guidelines.html. Behavior in violation
> of those guidelines may result in your removal from this mailing list.
>
> GitHub Issues: https://github.com/hashicorp/vault/issues
> IRC: #vault-tool on Freenode
> ---
> You received this message because you are subscribed to the Google Groups
> "Vault" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to vault-tool+...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/vault-tool/309ad975-00e5-44a4-9ec4-b685e312e5dd%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
Francisco Javier Romero Mendiola
Jul 20, 2016, 6:41:22 AM7/20/16
to Vault
Hi Jeff,
I have checked again documentation and I do not understand what it is the sense of setting a "default_lease_ttl" to generic backend (secret).
For example, I am going to save users and passwords credentials of systems. Why I need a "lease_duration" or "refresh_interval" for that secrets?
On the other hand, I have tried user&pass backend. There are two parameters "ttl" and "max_ttl" and I have set every one with the same result.
Finally, Can I set a lease for tokens? (After log in).
Regards.
Francisco
Jeff Mitchell
Jul 20, 2016, 10:37:11 AM7/20/16
to vault...@googlegroups.com
Hi Francisco,
writers of secrets to indicate to readers how often they should poll.
You can totally ignore it if you want.
> Finally, Can I set a lease for tokens? (After log in).
Tokens have TTLs, just like secret leases, and a similar renewal and
maximum mechanism.
Best,
Jeff
> I have checked again documentation and I do not understand what it is the
> sense of setting a "default_lease_ttl" to generic backend (secret).
Vault does not support eventing currently, so this provides a way for
> sense of setting a "default_lease_ttl" to generic backend (secret).
writers of secrets to indicate to readers how often they should poll.
You can totally ignore it if you want.
> Finally, Can I set a lease for tokens? (After log in).
maximum mechanism.
Best,
Jeff
Reply all
Reply to author
Forward
0 new messages