Best practise exposing vault publicly

240 views
Skip to first unread message

Bart Segers

unread,
Sep 9, 2019, 3:13:31 AM9/9/19
to Vault
Hi,

I have a question on how to expose vault(cli and UI) publicly without using any VPN or IP filtering. This would fit in the zero trust networking architecture we want to roll out for other apps as well.

The setup I currently have is hosted on an EKS cluster using consul and KMS auto unseal. I've enabled to OKTA auth backend and the integration works perfectly.

Now the trick is how can I expose this easily using OIDC integration. I was thinking of setting up an OIDC proxy(oauth2_proxy/vouch/pomerium) and link this to OKTA. Once logged in it redirects back to vault.
This works but will redirect to the login screen of course. Is it possible to pass the JWT token and login directly without going via the UI and login again? Another issue is the CLI since this will break the login flow?

If anyone has done something similar, I'd be happy to know.

Michel Vocks

unread,
Sep 9, 2019, 9:16:36 AM9/9/19
to Vault
Hi Bart,

please be aware that we generally don't recommend to expose Vault's API to the internet. Also, I highly recommend to have a look at the Vault Production Hardening Guide which provides additional tips and concerns.

Now the trick is how can I expose this easily using OIDC integration. I was thinking of setting up an OIDC proxy(oauth2_proxy/vouch/pomerium) and link this to OKTA. Once logged in it redirects back to vault.
This works but will redirect to the login screen of course. Is it possible to pass the JWT token and login directly without going via the UI and login again? Another issue is the CLI since this will break the login flow?

In my opinion, you don't need an additional OIDC proxy. The OIDC/JWT authentication backend fulfills the same requirements.

Cheers,
Michel
Reply all
Reply to author
Forward
0 new messages