Approve auth method...
Clear all

Approve auth method creation strategy?

2 Posts
2 Users
Topic starter

What should be the approve auth method creation strategy? 

Scenario: I'm working for a company many machines and apps(let's say jenkins) need to retrieve some secrets and run some apps and complete a workflow. think that I have many apps and machines. in this case what should be the approle creation and structuring strategy? based on app, based on team or totally random, or any other? is there any limitation? any other method can replace approve method? since this is kind of user,pwd. you're configuring and then using it? is there a method to rotate rolled or secretid? pros/cons? in which cases should this method opt for? 

Vaultman Topic starter 13/06/2023 3:00 am

it should be approle auth method, not approve. (system automatically converts)

1 Answer

@ibrcakmak This is a great question. The way I think about it is first check to see where the application is running. If it's running in a platform that provides an identity to the resources it spins, then check to see if there is a Vault auth method for this platform. Examples:

  • AWS
  • GCP
  • Azure
  • Kubernetes

These platforms will solve for the secret zero problem.

If that's not the case and the app is running for example on a VM in vSphere, then approle would be the strategy. I would recommend using the Vault agent with approle as it takes care of many functions you would need to code in the app such as auto-auth, retrieving secrets on behalf of the app, and others.

The secretid will need to be rotated on a regular basis. A pipeline should be used to do this and drop the secretid in the machine where the application runs. Say Jenkins will use the Vault plugin to authenticate into Vault and on a regular basis create a new secretid and drop it where the vault agent can pick it up.

Scroll to Top