Each user has their own passwords

60 views
Skip to first unread message

Rodrigo Porto

unread,
Jun 27, 2018, 4:00:16 PM6/27/18
to Vault
Hi, everyone

I started working with this great tool two weeks ago. I would like to use it in order to help my co-workers. However, I think it would be useful if each user had their own passwords, so it is possible? 

I have seen in the documentation that thanks to Cubbyhole can be achieved. I have done a test to try to verify this, however, it seems that the passwords created are not stored. For example.

I authenticate with the user:

vault login -method=userpass username=user password=test


I store the password:

vault write cubbyhole/my-secret my-value=s3cr3t


Verify:

# vault read cubbyhole/my-secret
Key Value
--- -----
my-value s3cr3t


However, if I log out and log in again, the password is gone. Moreover, on Vault UI, it doesn't let me create or view them.

What should I do?

Thank you very much in advance,

Regards :)

aru...@pixar.com

unread,
Jun 28, 2018, 12:59:50 PM6/28/18
to Vault
You could technically do this with the normal key-value store (v1 or v2) and a per-user policy (until we get some sort of templating system for policies). Of course a root token can see all the secrets regardless of policy. For this reason I would suggest a personal password manager (ie. 1Password) rather than storing user secrets in Vault.

Regarding the cubbyhole behavior, from the docs:

The cubbyhole secrets engine is used to store arbitrary secrets within the configured physical storage for Vault namespaced to a token. In cubbyhole, paths are scoped per token. No token can access another token's cubbyhole. When the token expires, its cubbyhole is destroyed.



Aaron
Message has been deleted

Rodrigo Porto

unread,
Jun 30, 2018, 1:49:43 PM6/30/18
to Vault
Hi, Aaron

Thank you for your answer.

Regards
Reply all
Reply to author
Forward
0 new messages