As part of another project I’ve been looking at ways to securely store secrets, and one of the things that stood out when trying Vault was the ways that apps could be used with it.
So for the case of getting credentials for an app, using the Cubbyhole secret backend seems like a good way to mitigate unwanted access to tokens.
The basic idea is;
- Enable Cubbyhole secret backend. (Vault enables this by default)
- Create temporary token with use count of 2. (The use count specifies number of times the specific token can be used)
- Create permanent token.
- Store permanent token in temporary token’s cubbyhole.
- Pass temporary token to container application using environment variable.
- Application reads permanent token from cubbyhole using temporary token.
Even if temporary token is read by malicious user later, there is no use for it since the use count for temporary token would have expired. Out of the specified initial use count of 2 for temporary token, first count is used when writing the permanent token and the second count is used when reading the permanent token.
I’m not sure how easy it would be to integrate, I’m thinking some sort of upstart script that gets the temporary token then passes it to the elixir app on startup, then internally the app does the rest - doing something like Preparing for Production - #2 by sasajuric
Some more info on response wrapping using Cubbyholes:
This post has an example of that, as well as the DB secret backend for authenticating DB users:
