Using Vault for password rotation

[Rizul khanna]

​Dear all,

As I understand we are using vault for storing and retrieving passwords, is it possible for vault to automatically go and update passwords on VMs, Middleware and DBs in the IaaS private cloud?

​I didn't find any​ suitable documentation for this and I understand that it cannot do it, we need to find some way to update the passwords on the VMs and change them in vault. Retrieving and Storing can be automated, but changing passwords in the VM/MW/DB needs to be manually done.

​Please advise.​

Thanks and Regards,

Rizul Khanna

[Jim Kalafut]

Hi Rizul,

Vault does not automatically change passwords on other systems. Vault can help manage access to resources using dynamic secrets. Authorized clients will be granted time-limited, revocable access the resource. You can read more about this in our docs: https://www.vaultproject.io/intro/getting-started/dynamic-secrets.html

Regards,

Jim

[Justin DynamicD]

Vault uses a fundamentally different model than what you're prescribing:

Instead of managing password rotation on accounts, it creates/removes accounts dynamically as needed.  So instead of a user requesting a password, he's actually requesting a full set of credentials.  When the "time is up" vault actually removes the account entirely (or invalidates the cert, or whatever depending on the implementation of the dynamic secrets backend).

In this way vault doesn't rotate anything ... instead if generates on demand.  

The one big gap, however, is that it doesn't rotate it's OWN credentials it uses to do this.  At least last I checked it didn't.  

On Tuesday, May 29, 2018 at 11:07:39 PM UTC-7, Rizul khanna wrote: