Managing user secrets in a web application

I have a situation where I need to manager user API key and secret for an external web service. Since the key and secret are high value, so I’d prefer not to touch them at all. However, the server has to use the secret to access the API on behalf of the user. It would be great if OAuth were possible and the user could grant or revoke access to the app, but there’s no such capability with this API.

I could use something like Vault to store the secrets. Although I’d still have to store the Vault credentials, at least it could be somewhat locked down.

Perhaps there would be a service where the user credentials could be passed to the secret backend and my app would only have the user’s hashed password. The secrets could not be accessed except at login time. I don’t know of such a service.

Does anyone know of such a product or service, or better still a pure BEAM solution?

That’s what I think HashiCorp’s Vault was created for. I don’t know about any pure beam solution like vault … There are services similar to vault in several cloud providers, like azure’s key vault.

It would be nice if there was something that combined something like OAuth as well as user secrets. I’d like to just offload the higher risk stuff to a trusted service.

I didn’t think there was a way to use Vault for user-level secrets. IE. no access to the secret from the application, but only from the context of the user… if I am logged in, the app can access my secret as necessary, but not without my username and password.

Looks like this might do it: https://www.vaultproject.io/api/auth/userpass/index.html

Hmm for me Vault is not for manning user secrets but secrets related to infrastructure like access to database keys etc …
The same Kuberentes and Docker Swarm secrets

For example your application A needs access to database B. Before it can access it ask Vault for key. Vault checks if application can access this database and return correct key. Application use this key to connect to database.

Vault secures, stores, and tightly controls access to tokens, passwords, certificates, API keys, and other secrets in modern computing

Why can’t it be used for user secrets as well? I think I’ve heard someone talking about this use case. They even provide encryption-as-a-service, I think, to facilitate that.

Ok maybe you are right … But for me it is mostly for infrastructure

@mkunikow, I had also assumed that Vault was intended for infrastructure secrets. Looks like it could do the trick for me.

I just wish I didn’t have to install some other product like Vault. The plus side is that it is completely separate from my app.

@cleaver
@idi527
podcast with hashicorp
http://www.se-radio.net/2017/12/se-radio-episode-311-armon-dadgar-on-secrets-management/