dynamic secrets for access to Vault? #288
Comments
|
|
Hi @whit537 From the description of the issue (and please correct me if I am wrong), you are trying to use Vault as an authentication system. Vault is not really designed for this use case. |
|
@sethvargo Actually, I'm trying to use Vault as a PCI vault (gratipay/gratipay.com#3504), and I'm trying to avoid dragging the entire web app into compliance scope. How can I keep my vault segmented from a PCI perspective, even if someone compromises the web app? P.S. Hi! 👋 :) |
|
To be honest, though, I might be able to solve my problem with ACLs that only allow writing from the web app for the cases I care about. I still think this could be a neat idea, though, even if I don't need it right now. My understanding of dynamic secrets was that they allowed one to generate credentials on the fly for a system like AWS or Postgres. The thought was: What about generating credentials on the fly for Vault? That might require a two-vault setup, dunno. Anyway, feel free to close if you're not interested. I think for my immediate use-case I will explore the ACL option. |
|
@whit537 This is possible! The |
|
Also, in Vault 0.5 you can specify write-only ACLs, which should fit your needs nicely. |
|
Thanks! :-) |
I want to give people access to a web app (at Heroku, as it happens) that has access to Vault, without giving the people the same access to Vault as the web app has. This could be achieved with a
vaultsecret backend that supported dynamic secrets, yes?The text was updated successfully, but these errors were encountered: